ApsaraDB for MongoDB provides an audit log feature powered by Log Service. This feature allows you to query, analyze, and export logs, giving you real-time insight into the security and performance of your instance.
The free trial for this feature is no longer available. For more information, see [Notice] Pay-as-you-go audit logs are available for ApsaraDB for MongoDB and the free trial is discontinued.
Use cases
ApsaraDB for MongoDB integrates features from Log Service to provide a stable, user-friendly, flexible, and efficient audit log service. The following table describes common use cases.
|
Use case |
Description |
|
Operation audit |
Identify who modified your data and when. This helps you detect internal risks, such as permission abuse or the execution of non-compliant commands. |
|
Security and compliance |
Helps your business systems meet audit requirements in security compliance standards. |
Prerequisites
-
Your instance is a replica set instance or a sharded cluster instance. The audit log feature does not support standalone instances.
-
Log Service is enabled. For instructions, see Getting Started.
-
If you enable audit logs as a RAM user, you must grant the following permissions to the RAM user:
-
AliyunLogFullAccess: This is a system policy. For instructions on how to grant this permission, see Grant permissions to a RAM user.
-
dds:CheckServiceLinkedRole: This is a custom policy. You must first create this policy in the Resource Access Management (RAM) console and then grant it to the RAM user. To create a custom policy by using the script editor, see Create custom policies. For instructions on how to grant the permission, see Grant permissions to a RAM user.
The following script is for the dds:CheckServiceLinkedRole policy.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "dds:CheckServiceLinkedRole", "Resource": "*" } ] }
-
-
If you use a RAM user to access audit logs, you must grant the AliyunLogFullAccess or AliyunLogReadOnlyAccess permission to the RAM user. For instructions on how to grant these permissions, see Grant permissions to a RAM user.
Usage notes
-
After you enable the audit log feature, the system records audit information for write operations. This can add performance overhead and cause latency jitter on your ApsaraDB for MongoDB instance. For instances that run MongoDB 6.0 or later, the performance overhead can be 15% to 20%. For instances that run an earlier version, the performance overhead may be higher. For more information, see Audit log performance analysis.
NoteIf your application performs a high volume of write operations on your ApsaraDB for MongoDB instance, we recommend enabling this feature only for troubleshooting or security audits to prevent performance degradation.
-
After you enable the audit log feature, only the admin and slow operation types are selected by default. To change the audited operation types, see Modify operation types for audit logs.
-
The log retention period setting applies to all ApsaraDB for MongoDB instances in the current region. All other settings apply only to the current instance.
-
If you have enabled the free trial edition of the audit log feature and require a longer retention period or more storage space, you can upgrade to the official edition. For instructions, see Upgrade to the official edition.
Billing
The official edition of the audit log feature is billed on a pay-as-you-go basis based on the storage usage and retention period of audit logs. The following tables show the prices in different regions.
|
Region |
Unit price (USD/GB/hour) |
|
All regions in the Chinese mainland |
0.002 |
|
China (Hong Kong) |
0.006 |
|
Singapore |
|
|
UAE (Dubai) |
|
|
US (Silicon Valley) |
|
|
US (Virginia) |
|
|
UK (London) |
|
|
Germany (Frankfurt) |
|
|
Japan (Tokyo) |
0.004 |
|
Malaysia (Kuala Lumpur) |
|
|
Indonesia (Jakarta) |
|
|
Philippines (Manila) |
The prices in this topic are for reference only. The prices displayed on the buy page and in your bill prevail. For more information, see the Pricing tab on the ApsaraDB for MongoDB product page.
You can use the following methods to reduce your audit log costs.
|
Method |
Risk |
Reference |
|
Shorten the log retention period |
This shortens the traceable history of audits. |
|
|
Reduce the number of audited operation types |
If you deselect an operation type, logs for that operation type are no longer uploaded. Note
When you deselect an operation type, existing logs for that type are retained until the retention period expires. For example, your log retention period is set to 5 days, and you are auditing admin, slow, and query operations. If you deselect query at 00:00:00 on October 10, 2022, no new query logs are saved. The query logs generated between 00:00:00 on October 5, 2022 and 00:00:00 on October 10, 2022 expire and are automatically deleted. |
|
|
Disable the audit log feature |
After you disable the audit log feature, the system no longer uploads new logs for the instance. You can no longer trace subsequent access activities. Note
When you disable the feature, existing logs are retained until the retention period expires. For example, your log retention period is set to 5 days. If you disable the audit log feature at 00:00:00 on October 10, 2022, no new logs are saved. The audit logs generated between 00:00:00 on October 5, 2022 and 00:00:00 on October 10, 2022 expire and are automatically deleted. |
Procedure
You can enable the audit log feature without restarting the instance.
-
Log on to the ApsaraDB for MongoDB console.
-
In the left-side navigation pane, click Replica Set Instances or Sharded Cluster Instances based on your instance type.
-
In the upper-left corner of the page, select the resource group and region where the instance is located.
-
Click the ID of the instance, or click Manage in the Actions column for the instance.
-
In the left-side navigation pane, choose .
-
On the Latest Audit Logs page, set the Log Retention Period.
-
You can set the retention period from 1 to 365 days. The default value is 30 days.
-
Confirm that the selected retention period is suitable for all instances in the region before you proceed.
-
-
Click Activate.
NoteWhen you enable the audit log feature, ApsaraDB for MongoDB is automatically granted the AliyunServiceRoleForMongoDB service-linked role. This role allows ApsaraDB for MongoDB to access logs from Log Service.
-
In the Activate dialog box, read the message and click Confirm.
What to do next
After you enable the audit log feature, you can navigate to the Mongo Audit Log Center page. The top of the page displays the paid storage usage for audit logs in the current region. In the upper-right corner, you can find the Audit Settings and Service Settings buttons. The toolbar provides features such as SQL Enhancement, the Time Range Picker, Refresh, Alerts, and Subscribe.
API reference
|
API |
Description |
|
Checks if the audit log feature is enabled for an ApsaraDB for MongoDB instance. |
|
|
Enables or disables the audit log feature for an ApsaraDB for MongoDB instance and sets the log retention period. |