Percona mongodb audit plugins not showing fulldocument section in the log output

, ,
1

Recently we are working on percona community mongodb audit plugins where we encounter with incomplete log output where fulldocument after binary was not populated. For detail I am attaching the snippet.

We are not able to find the exact date change statement in the log output.

{ “atype” : “authCheck”, “ts” : { “$date” : “2024-04-15T14:57:48.642+05:30” }, “local” : { “ip” : “172.10.11.161”, “port” : 27077 }, “remote” : { “ip” : “127.0.0.1”, “port” : 57534 }, “users” : [ { “user” : “superuser”, “db” : “admin” } ], “roles” : [ { “role” : “root”, “db” : “admin” } ], “param” : { “command” : “insert”, “ns” : “dba.mycollection”, “args” : { “insert” : “mycollection”, “ordered” : true, “lsid” : { “id” : { “$binary” : “1DmJ3qt7R1S+FEfKgtZ5aA==”, “$type” : “04” } }, “$db” : “dba” } }, “result” : 0 } —missing data change statement after $binary

{ “atype” : “authCheck”, “ts” : { “$date” : “2024-04-15T15:00:49.748+05:30” }, “local” : { “ip” : “172.10.11.161”, “port” : 27077 }, “remote” : { “ip” : “127.0.0.1”, “port” : 58574 }, “users” : [ { “user” : “superuser”, “db” : “admin” } ], “roles” : [ { “role” : “root”, “db” : “admin” } ], “param” : { “command” : “insert”, “ns” : “dba.mycollection”, “args” : { “insert” : “mycollection”, “ordered” : true, “lsid” : { “id” : { “$binary” : “Lnqx0UA0Q7u4OZ42BXVRNA==”, “$type” : “04” } }, “$db” : “dba” } }, “result” : 0 }

{ “atype” : “authCheck”, “ts” : { “$date” : “2024-04-15T15:16:52.046+05:30” }, “local” : { “ip” : “172.10.11.161”, “port” : 27077 }, “remote” : { “ip” : “127.0.0.1”, “port” : 63732 }, “users” : [ { “user” : “superuser”, “db” : “admin” } ], “roles” : [ { “role” : “root”, “db” : “admin” } ], “param” : { “command” : “find”, “ns” : “dba.mycollection”, “args” : { “find” : “mycollection”, “filter” : {}, “lsid” : { “id” : { “$binary” : “4njOBq+ORm+dX9PLdBpIRg==”, “$type” : “04” } }, “$db” : “dba” } }, “result” : 0 }

2

@Mukesh_Prasad

I can see the below matching pattern but after that, the change/DML push captured in the logs.

{ "atype" : "authCheck", "ts" : { "$date" : "2024-11-17T09:46:58.690+00:00" }, "local" : { "ip" : "172.31.8.2", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 38638 }, "users" : [], "roles" : [], "param" : { "command" : "aggregate", "ns" : "admin", "args" : { "aggregate" : "atlascli", "pipeline" : [ { "$match" : { "managedClusterType" : "atlasCliLocalDevCluster" } }, { "$group" : { "_id" : 1, "n" : { "$sum" : 1 } } } ], "cursor" : {}, "lsid" : { "id" : { "$binary" : "BfHNx2b9SRKHS0Q9rnnkfw==", "$type" : "04" } }, "$db" : "admin" } }, "result" : 13 }
{ "atype" : "authCheck", "ts" : { "$date" : "2024-11-17T09:46:58.693+00:00" }, "local" : { "ip" : "172.31.8.2", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 38648 }, "users" : [], "roles" : [], "param" : { "command" : "getParameter", "ns" : "admin", "args" : { "getParameter" : 1, "featureCompatibilityVersion" : 1, "lsid" : { "id" : { "$binary" : "BAxbHtLNRR6V5KbREqcVNw==", "$type" : "04" } }, "$db" : "admin" } }, "result" : 13 }
{ "atype" : "authCheck", "ts" : { "$date" : "2024-11-17T09:46:58.743+00:00" }, "local" : { "ip" : "172.31.8.2", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 38648 }, "users" : [], "roles" : [], "param" : { "command" : "getLog", "ns" : "admin", "args" : { "getLog" : "startupWarnings", "lsid" : { "id" : { "$binary" : "BAxbHtLNRR6V5KbREqcVNw==", "$type" : "04" } }, "$db" : "admin" } }, "result" : 13 }

Changes:

, "port" : 50550 }, "users" : [], "roles" : [], "param" : {}, "result" : 0 }
{ "atype" : "createDatabase", "ts" : { "$date" : "2024-11-17T09:47:21.866+00:00" }, "local" : { "ip" : "172.31.8.2", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 38652 }, "users" : [ { "user" : "dba", "db" : "admin" } ], "roles" : [ { "role" : "root", "db" : "admin" } ], "param" : { "ns" : "test" }, "result" : 0 }
{ "atype" : "createCollection", "ts" : { "$date" : "2024-11-17T09:47:21.866+00:00" }, "local" : { "ip" : "172.31.8.2", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 38652 }, "users" : [ { "user" : "dba", "db" : "admin" } ], "roles" : [ { "role" : "root", "db" : "admin" } ], "param" : { "ns" : "test.test1" }, "result" : 0 }

...

{ "atype" : "createIndex", "ts" : { "$date" : "2024-11-17T09:47:22.256+00:00" }, "local" : { "ip" : "172.31.8.2", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 38652 }, "users" : [ { "user" : "dba", "db" : "admin" } ], "roles" : [ { "role" : "root", "db" : "admin" } ], "param" : { "ns" : "test.test1", "indexName" : "_id_", "indexSpec" : { "v" : 2, "key" : { "_id" : 1 }, "name" : "_id_" }, "indexBuildState" : "IndexBuildStarted" }, "result" : 0 }
{ "atype" : "createIndex", "ts" : { "$date" : "2024-11-17T09:47:22.280+00:00" }, "local" : { "ip" : "172.31.8.2", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 38652 }, "users" : [ { "user" : "dba", "db" : "admin" } ], "roles" : [ { "role" : "root", "db" : "admin" } ], "param" : { "ns" : "test.test1", "indexName" : "_id_", "indexSpec" : { "v" : 2, "key" : { "_id" : 1 }, "name" : "_id_" }, "indexBuildState" : "IndexBuildSucceeded" }, "result" : 0 }

Could you please confirm the exact statement you are looking for ? Are you by any chance using any filters (“filter:”) in the audit logs ?

Please share the exact audit log configuration from the section auditLog: in the mongod.conf file ?