This topic describes how to enable the audit log feature for an ApsaraDB for MongoDB instance. The audit log feature is integrated with Log Service and allows you to query, analyze online, and export the audit logs of the instance. The audit log feature also provides real-time insight into the security and performance of the instance.
Scenarios
ApsaraDB for MongoDB integrates the features of Log Service to provide the audit log feature that is stable, easy-to-use, flexible, and efficient. This feature can be used in scenarios described in the following table.
Scenario | Description |
Operation audit | Helps you discover information such as operator identity or data modification time and identify internal risks such as the abuse of permissions and execution of invalid commands. |
Security and compliance | Assists business systems in complying with the audit requirements in security compliance. |
Prerequisites
Log Service is activated. For more information, see Getting Started.
If you want to enable the audit log feature as a Resource Access Management (RAM) user, you need to grant the following permissions to the RAM user:
AliyunLogFullAccess: This permission is a system policy. For more information about how to grant permissions to the RAM user, see Grant permissions to a RAM user.
dds:CheckServiceLinkedRole: This permission is a custom policy. You need to create a custom policy in the RAM console before you attach the policy to the RAM user. For more information about how to create a custom policy on the JSON tab, see Create custom policies. For more information about how to grant permissions to the RAM user, see Grant permissions to a RAM user.
The following example shows the script of the dds:CheckServiceLinkedRole policy:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "dds:CheckServiceLinkedRole", "Resource": "*" } ] }
If you want to access audit logs as a RAM user, you need to grant the AliyunLogFullAccess or AliyunLogReadOnlyAccess permission to the RAM user. For more information about how to grant permissions to the RAM user, see Grant permissions to a RAM user.
Usage notes
After you enable the audit log feature for an instance, ApsaraDB for MongoDB audits and logs the write operations that are performed on the instance. The instance may experience a performance decrease of 5% to 15% and specific amount of latency and jitter. The performance decrease, latency, and jitter vary with the amount of data that is written or audited.
NoteYour application may write a large amount of data to an instance. To prevent performance from decreasing in such scenarios, we recommend that you enable the audit log feature only for troubleshooting issues or auditing the security of the instance.
By default, after the audit log feature is enabled, the selected operation types are admin and slow. For more information about how to change operation types, see Modify operation type for audit logs.
The specified log retention period for an instance is applicable to the instance and all other instances that reside within the same region as the instance. Other operations are applicable only to the current instance.
If you want to retain audit logs for a longer period of time or use larger storage space for audit logs during the free trial of this feature, you can upgrade the free trial edition to the official edition. For more information, see Upgrade to the official edition.
Billing rules
You are charged for the official edition based on the storage capacity and retention period of the audit logs. For more information about the pricing of the official edition, visit the Pricing tab of the ApsaraDB for MongoDB buy page.
The log audit feature provided by ApsaraDB for MongoDB no longer offers free trials. For more information, see [Notice] On official launch of the pay-as-you-go audit log feature and no more application for the free trial edition.
You can also use the methods described in the following table to reduce fees incurred for audit logs.
Method | Risk | References |
Use a shorter retention period | This shortens the traceable history time of audit logs. | |
Select less audit operation types | After a specified audit operation type is removed, the audit logs for this operation type are no longer uploaded. Note After a specified audit operation type is removed, only the existing audit log data of this operation type is reserved within the retention period. For example, you specify a retention period of five days and select the following audit operation types: admin, slow, and query. If you remove the query operation at 00:00:00 on October 10, 2022, the audit logs for the query operation generated after that time are no longer saved. The audit logs for the query generated from 00:00:00 on October 05, 2022 to 00:00:00 on October 10, 2022 also gradually expire and are automatically deleted after they expire. | |
Disable the audit log feature | After you disable the audit log feature, the audit logs of the instance are not uploaded. You cannot track and audit subsequent operations on the instance. Note Only the audit logs within the retention period that ends at the time when you disable the audit log feature are retained. For example, you specify a retention period of five days and disable the audit log feature at 00:00:00 on October 10, 2022. The audit logs generated after that time are no longer saved. The audit logs generated from 00:00:00 on October 5, 2022 to 00:00:00 on October 10, 2022 also gradually expire and are automatically deleted. |
Procedure
Log on to the ApsaraDB for MongoDB console.
In the left-side navigation pane, click Replica Set Instances or Sharded Cluster Instances.
In the upper-left corner of the page that appears, select the resource group and region to which the desired instance belongs.
Click the ID of the instance that you want to manage or click Manage in the Actions column.
In the left-side navigation pane of the instance details page, choose .
On the Latest Audit Logs page, configure the Log Retention Period parameter.
The valid values of the parameter is 1 to 365. The default value is 30. The parameter is measured in days.
The specified log retention period for an instance is applicable to the instance and all other instances that reside within the same region as the instance. We recommend that you evaluate the retention period of audit logs for all instances within the same region before you configure the parameter.
Click Enable Audit Logs.
NoteWhen the audit log feature is enabled, ApsaraDB for MongoDB automatically obtains the AliyunServiceRoleForMongoDB role. This role allows ApsaraDB for MongoDB to use audit logs from Log Service.
In the Enable Audit Logs message, read the prompt and click OK.
Related tasks
After you enable the audit log feature, you can go to the Mongo audit log center page to view the billable storage capacity of audit logs in the current region.
Related operations
Operation | Description |
Queries whether the audit log feature is enabled for an ApsaraDB for MongoDB instance. | |
Enables or disables the audit log feature for an ApsaraDB for MongoDB instance. If you enable the feature, you can also specify a retention period for audit logs. |