I am trying to enable audit logs on my psmdb instance but I do not see audit logs being created.
I came across a readme, which mentions - “By default, when building Percona Server for MongoDB from source, audit functionality is neither compiled with, nor linked into, the final binary executable. To enable auditing, execute SCons with the --audit argument:”
I am using an official docker image ‘percona/percona-server-mongodb:4.4’ and have followed Running Percona Server for MongoDB in a Docker Container — Percona Server for MongoDB 5.0 Documentation for setting up my server.
Need help to find a relavant docker image which includes audit functionality.
Thanks,
Anu
2 Likes
@Anu_Madan according to Auditing - Percona Server for MongoDB 4.4
To enable audit logging, specify where to send audit events using the --auditDestination option on the command line or the auditLog.destination variable in the configuration file.
So if you want to pass params for mongod on upstart you should run docker in the following way:
docker run --name my-container-name -d percona/percona-server-mongodb --option1=value --option2=value
So please replace option1 and so on with needed params
1 Like
Thanks Evgeniy.
Hi Anu. As well as the auditLog.destination config file option you will probably be interested in setting the auditLog.filter option as well. I don’t mean there is a connection to mongodb being in docker, this is just a point about using MongoDB auditing in general. What audit events you do and don’t want to include in the audit log is up to you.
1 Like
Thanks Evgeniy and Akira.
I have defined all parameters as you have mentioned. I am using config file. Here is an excerpt from my mongod.conf:
auditLog:
destination: file
format: JSON
path: /var/auditLog.json
setParameter: { auditAuthorizationSuccess: true }
I have not applied any filters to make sure at least some audit logs are generated. The operations tried were, create db, create collection, insert records, drop collection, drop db etc. but no audit logs were generated.
The docker was run in the following way:
docker run -d --name psmdb --restart always -v C:/IDX/percona/mongodb.conf:/etc/mongod.conf -v C:/IDX/percona/logs/audit.json:/var/audit.json --net eauthlocalnw percona/percona-server-mongodb:4.4 --config /etc/mongod.conf
Is there a specific parameter to be sent in the run command to enable audit?
What else am I missing?
Thanks,
Anu
1 Like
Hi Anu.
Is there a specific parameter to be sent in the run command to enable audit
Assuming there isn’t some YAML syntax error and the mongod was able to restart with that config the audit log should be working now.
I don’t recall the default audit filter’s exact value, but it is fairly broad. Creating and dropping a dummy collection as you tried should make them appear.
On a different topic: Unless you have a small database with very low traffic using auditAuthorizationSuccess: true is an overly expensive performance hit. Writing an event to the audit log file is much, much slower than reading or updating a documents in the collections. On the order of 100 times slower. Save auditing for the purpose of catching DBA operations, not for logging access to collections by a user who was already granted access to those collections.
1 Like
There is surely no YAML syntax error and mongod is started successfully. The file at /etc/mongod.conf correctly contains the auditLog configuration and I am able to do database operations successfully.
But, Audit log file stays empty. No logs are generated.
One of the documents mention: " By default, operations with successful authorization are not logged, so for this filter to work, enable auditAuthorizationSuccess parameter". Hence I tried setting that to true but that also did not help.
Currently, my objective is to get the audit log working irrespective of the performance.
Any more ideas will help.
Thanks,
Anu
1 Like
I see.
Well, maybe I’m mistaken about the filter being a match on all events (except authorizationSuccess: true sub-category) by default.
Here’s a explicit one to try:
auditLog:
destination: file
path: /some/file/path
filter: '{atype: {$in: [
"authenticate", "authCheck",
"renameCollection", "dropCollection", "dropDatabase",
"createUser", "dropUser", "dropAllUsersFromDatabase", "updateuser",
"grantRolesToUser", "revokeRolesFromUser", "createRole", "updateRole",
"dropRole", "dropAllRolesFromDatabase", "grantRolesToRole", "revokeRolesFromRole",
"grantPrivilegesToRole", "revokePrivilegesFromRole",
"replSetReconfig",
"enableSharding", "shardCollection", "addShard", "removeShard",
"shutdown",
"applicationMessage"
]}}'
The multiline-filter string within the single-quote escaped string is valid, but if you are worried it might get mangled it is fine to delete the line breaks.
1 Like
Tried the suggested changes. Please see the snapshot.
restarted the container for this to take effect and again performed the db operations - create db, collection, insert records, drop collection etc.
No audit logs generated. audit.json is still a blank file.
-rwxrwxrwx 1 root root 0 Jan 29 09:16 audit.json
Thanks,
Anu
1 Like
@Anu_Madan once you edit config file insede container - you want get your changes after the restart of container.
You should put config file on your host system, modify it, and mount during docker run command.
1 Like
Thanks Evgeniy. The following entries in my mongod.config are causing some issue.
processManagement:
fork: false
pidFilePath: /var/run/mongod.pid
I debugged with removing each line from the config file one by one and zeroed on to this. Without these, I got a few logs in the auditlog file.
Thank you very much for your help.
-Anu
2 Likes
