For auditing and regulatory compliance most organizations require that all user-based Data Manipulation Language ("DML") and/or Create, Read, Update and Delete ("CRUD") operations performed against production databases be logged. This request extends the MongoDB auditing framework, introduced in version 2.6, to include logging of all user queries and DML/CRUD operations including:
- query/read - any operation that returns data
- insert – any operation that adds data to a database
- update – any operation that changes data on a database
- delete – any operation that removes data from a database
Requirements for logging of these operations include:
same format, data elements, output options used for DDL and system level auditing
capture complete query, command with variable substitution (non-masked values)
return result of query, command (success, failure, row count, rows affected, etc)
provide option to log to a separate file for manageability
option to log queried or returned data – feasibility TBD
With this enhancement, we should also extend the current auditing functionality to provide high-level configuration options that allow users to set the “verbosity” of audit logging for a given server. Options to include:
- system – enables the logging of only DDL or system level operations (2.6 implementation)
- queries – enables the logging of only DML/CRUD operations
- all - (default) enables the logging of all operations
- is related to
-
SERVER-12512 Add role-based, selective audit logging.
- Closed
-
SERVER-11918 Support writing "access granted" messages to audit logs.
- Closed