This topic describes how to enable the log audit feature in the ApsaraDB for MongoDB console and send audit logs to Log Service.

Prerequisites

A replica set instance with three or more nodes is created, or a sharded cluster instance is created. For more information, see Create a replica set instance and Create a sharded cluster instance.

Procedure

  1. Log on to the ApsaraDB for MongoDB console.
  2. In the left-side navigation pane, click Replica Set Instances or Sharded Cluster Instances based on the instance type.
  3. In the top navigation bar, select the resource group and region of your instance.
  4. In the instance list, click the instance.
  5. In the left-side navigation pane, choose Data Security > Audit Logs.
  6. If this is your first time to use the log audit feature, follow the on-screen instructions to complete authorization.

    After the authorization is complete, the system generates the AliyunServiceRoleForMongoDB RAM role. Your instance can assume the AliyunServiceRoleForMongoDB RAM role to access Log Service resources within your Alibaba Cloud account. For more information, see ApsaraDB for MongoDB service-linked roles.

    Notice Do not revoke the permissions from the RAM role or delete the RAM role. If you revoke the permissions from the RAM role or delete the RAM role, the audit logs of the ApsaraDB for MongoDB instance cannot be sent to Log Service.
  7. On the Latest Audit Logs page, specify the log retention period and click Enable Audit Logs.
  8. In the Enable Audit Logs message, click OK.

What to do next

After the logs of your instance are collected to Log Service, you can query, analyze, download, ship, and transform the logs. You can also configure alerts based on the logs. For more information, see Common operations on logs of Alibaba Cloud services.