This topic describes how to enable the audit log feature for an ApsaraDB for MongoDB instance. The audit log feature is integrated with Log Service and allows you to query, analyze online, and export the audit logs of the instance. The audit log feature also provides real-time insight into the security and performance of the instance.

Scenarios

ApsaraDB for MongoDB integrates the features of Log Service to provide the audit log feature that is stable, easy-to-use, flexible, and efficient. This feature can be used in scenarios described in the following table.
Scenario Description
Operation audit Helps discover information such as operator identity or data modification time and identify internal risks such as abuse of permissions and execution of invalid commands.
Security and compliance Assists business systems in complying with the audit requirements in security compliance.

Prerequisites

  • Log Service is activated. For more information, see Activate Log Service.
  • The audit log feature is available only for instances that run specific MongoDB versions.
    • Replica set instances: MongoDB 5.0 or earlier
    • Sharded cluster instances: MongoDB 5.0 or earlier
  • The AliyunLogFullAccess permission is granted to the Resource Access Management (RAM) user that is used to enable the new audit log feature. For more information about authorization, see Grant permissions to a RAM user.
  • The AliyunLogFullAccess or AliyunLogReadOnlyAccess permission is granted to the RAM user that is used to access audit logs. For more information, see Grant permissions to a RAM user.

Precautions

  • When you enable the audit log feature for an instance that uses cloud disks, the instance restarts. Proceed with caution.
  • After you enable the audit log feature for an instance, ApsaraDB for MongoDB audits and logs the write operations that are performed on the instance. The instance may experience a performance decrease of 5% to 15% and specific amount of latency and jitter. The performance decrease, latency, and jitter vary with the amount of data that is written or audited.
    Note Your application may write a large amount of data to an instance. To prevent performance from decreasing in such scenarios, we recommend that you enable the audit log feature only for troubleshooting issues or auditing the security of the instance.
  • By default, after the audit log feature is enabled, the selected operation types are admin and slow. For more information about how to change the operation types, see Modify the operation type for audit logs.
  • The specified log retention period for an instance is applicable to the instance and all other instances that reside within the same region as the instance. Other operations are applicable only to the current instance.
  • If you have enabled the free trial edition but want to retain audit logs for a longer period of time or use larger storage space for audit logs, you can upgrade the free trial edition to the official edition. For more information, see Upgrade to the official edition.

Billing

The official edition is charged based on the storage usage and retention period. For more information, see the Pricing tab on the ApsaraDB for MongoDB product page.

Note The free trial of the audit log feature is no longer available. For more information, see [Notice] On official launch of the pay-as-you-go audit log feature and no more application for the free trial edition.

You can also use the methods described in the following table to reduce fees incurred for audit logs.

Method Risk References
Use a shorter retention period This shortens the traceable history of audit logs. Modify the retention period for audit logs
Select less audit operation types After a specified audit operation type is removed, the audit logs for this operation type are no longer uploaded.
Note After a specified audit operation type is removed, only the existing audit log data of this operation type will be reserved within the retention period.

For example, you set the audit log retention period to five days and first select the audit operation types are admin, slow, and query. If you remove the query operation at 00:00:00 on October 10, 2022, the audit logs for the query operation will no longer be saved. The audit logs for the query generated from 00:00:00 on October 05, 2022 to 00:00:00 on October 10, 2022 will gradually expire and will be automatically deleted after they expire.

Modify the operation type for audit logs
Disable the audit log feature After you disable the audit log feature, audit logs of the instance will not be uploaded. You cannot track and audit subsequent operations on the instance.
Note Only the audit logs within the retention period that ends at the time when you disable the audit log feature are retained.

For example, you set a retention period of five days and disable the audit log feature at 00:00:00 on October 10, 2022. The audit logs generated after that time are not saved. The audit logs generated from 00:00:00 on October 5, 2022 to 00:00:00 on October 10, 2022 also gradually expire and are automatically deleted.

Disable the audit log feature

Procedure

  1. Log on to the ApsaraDB for MongoDB console.
  2. In the left-side navigation pane, click Replica Set Instances or Sharded Cluster Instances based on the instance type.
  3. In the upper-left corner of the page, select the resource group and region to which the instance belongs.
  4. Click the ID of an instance, or click More icon in the Actions column corresponding to the instance and select Manage.
  5. In the left-side navigation pane of the instance details page, choose Data Security > Audit Logs.
  6. On the Latest Audit Logs page, set Log Retention Period.
    • The valid values of the retention period is 1 to 365. The default value is 30. This parameter is measured in days.
    • The specified log retention period for an instance is applicable to the instance and all other instances that reside within the same region as the instance. We recommend that you evaluate the retention period of audit logs for all instances within the same region before you set the parameter.
  7. Click Enable Audit Logs.
    Note When the audit log feature is enabled, ApsaraDB for MongoDB automatically obtains the AliyunServiceRoleForMongoDB role. This role allows ApsaraDB for MongoDB to use audit logs from Log Service.
  8. In the Enable Audit Logs message, read the prompt and click OK.

Related operations

After you enable the audit log feature, you can view the audit log storage usage of the current region in the upper part of the Mongo Audit Log Center page. Audit log storage usage

Related API operations

Operation Description
DescribeAuditPolicy Queries whether the audit log feature is enabled for an ApsaraDB for MongoDB instance.
ModifyAuditPolicy Enables or disables the audit log feature for an ApsaraDB for MongoDB instance. If you enable the feature, you can also set a retention period for audit logs.

References