Percona server for mongodb: docker image with auditing included

I am trying to enable audit logs on my psmdb instance but I do not see audit logs being created.
I came across a readme, which mentions - “By default, when building Percona Server for MongoDB from source, audit functionality is neither compiled with, nor linked into, the final binary executable. To enable auditing, execute SCons with the --audit argument:”

I am using an official docker image ‘percona/percona-server-mongodb:4.4’ and have followed Running Percona Server for MongoDB in a Docker Container for setting up my server.

Need help to find a relavant docker image which includes audit functionality.

Thanks,
Anu

@Anu_Madan according to Auditing

To enable audit logging, specify where to send audit events using the --auditDestination option on the command line or the auditLog.destination variable in the configuration file.

So if you want to pass params for mongod on upstart you should run docker in the following way:
docker run --name my-container-name -d percona/percona-server-mongodb --option1=value --option2=value

So please replace option1 and so on with needed params

Thanks Evgeniy.

Hi Anu. As well as the auditLog.destination config file option you will probably be interested in setting the auditLog.filter option as well. I don’t mean there is a connection to mongodb being in docker, this is just a point about using MongoDB auditing in general. What audit events you do and don’t want to include in the audit log is up to you.

Thanks Evgeniy and Akira.
I have defined all parameters as you have mentioned. I am using config file. Here is an excerpt from my mongod.conf:

auditLog:
  destination: file
  format: JSON
  path: /var/auditLog.json
setParameter: { auditAuthorizationSuccess: true }

I have not applied any filters to make sure at least some audit logs are generated. The operations tried were, create db, create collection, insert records, drop collection, drop db etc. but no audit logs were generated.

The docker was run in the following way:

docker run -d --name psmdb --restart always -v C:/IDX/percona/mongodb.conf:/etc/mongod.conf -v C:/IDX/percona/logs/audit.json:/var/audit.json --net eauthlocalnw percona/percona-server-mongodb:4.4 --config /etc/mongod.conf

Is there a specific parameter to be sent in the run command to enable audit?
What else am I missing?

Thanks,
Anu

Hi Anu.

Is there a specific parameter to be sent in the run command to enable audit

Assuming there isn’t some YAML syntax error and the mongod was able to restart with that config the audit log should be working now.

I don’t recall the default audit filter’s exact value, but it is fairly broad. Creating and dropping a dummy collection as you tried should make them appear.

On a different topic: Unless you have a small database with very low traffic using auditAuthorizationSuccess: true is an overly expensive performance hit. Writing an event to the audit log file is much, much slower than reading or updating a documents in the collections. On the order of 100 times slower. Save auditing for the purpose of catching DBA operations, not for logging access to collections by a user who was already granted access to those collections.

There is surely no YAML syntax error and mongod is started successfully. The file at /etc/mongod.conf correctly contains the auditLog configuration and I am able to do database operations successfully.
But, Audit log file stays empty. No logs are generated.

One of the documents mention: " By default, operations with successful authorization are not logged, so for this filter to work, enable auditAuthorizationSuccess parameter". Hence I tried setting that to true but that also did not help.
Currently, my objective is to get the audit log working irrespective of the performance.

Any more ideas will help.

Thanks,
Anu

I see.

Well, maybe I’m mistaken about the filter being a match on all events (except authorizationSuccess: true sub-category) by default.

Here’s a explicit one to try:

    auditLog:
        destination: file
        path: /some/file/path
        filter: '{atype: {$in: [
         "authenticate", "authCheck",
         "renameCollection", "dropCollection", "dropDatabase",
         "createUser", "dropUser", "dropAllUsersFromDatabase", "updateuser",
         "grantRolesToUser", "revokeRolesFromUser", "createRole", "updateRole",
         "dropRole", "dropAllRolesFromDatabase", "grantRolesToRole", "revokeRolesFromRole",
         "grantPrivilegesToRole", "revokePrivilegesFromRole",
         "replSetReconfig",
         "enableSharding", "shardCollection", "addShard", "removeShard",
         "shutdown",
         "applicationMessage"
      ]}}'

The multiline-filter string within the single-quote escaped string is valid, but if you are worried it might get mangled it is fine to delete the line breaks.

Tried the suggested changes. Please see the snapshot.

restarted the container for this to take effect and again performed the db operations - create db, collection, insert records, drop collection etc.
No audit logs generated. audit.json is still a blank file.

-rwxrwxrwx 1 root root 0 Jan 29 09:16 audit.json

Thanks,
Anu

@Anu_Madan once you edit config file insede container - you want get your changes after the restart of container.
You should put config file on your host system, modify it, and mount during docker run command.

Thanks Evgeniy. The following entries in my mongod.config are causing some issue.

processManagement:
fork: false
pidFilePath: /var/run/mongod.pid

I debugged with removing each line from the config file one by one and zeroed on to this. Without these, I got a few logs in the auditlog file.

Thank you very much for your help.

-Anu