All Products
Search
Document Center

ApsaraDB for MongoDB:Enable the audit log feature

Last Updated:Jul 17, 2024

This topic describes how to enable the audit log feature for an ApsaraDB for MongoDB instance. The audit log feature is integrated with Log Service and allows you to query, analyze online, and export the audit logs of the instance. The audit log feature also provides real-time insight into the security and performance of the instance.

Note

The log audit feature provided by ApsaraDB for MongoDB no longer offers free trials. For more information, see [Notice] On official launch of the pay-as-you-go audit log feature and no more application for the free trial edition.

Scenarios

ApsaraDB for MongoDB integrates the features of Log Service to provide the audit log feature that is stable, easy-to-use, flexible, and efficient. This feature can be used in scenarios described in the following table.

Scenario

Description

Operation audit

Helps you discover information such as operator identity or data modification time and identify internal risks such as the abuse of permissions and execution of invalid commands.

Security and compliance

Assists business systems in complying with the audit requirements in security compliance.

Prerequisites

  • Log Service is activated. For more information, see Getting Started.

  • If you want to enable the audit log feature as a Resource Access Management (RAM) user, you need to grant the following permissions to the RAM user:

    • AliyunLogFullAccess: This permission is a system policy. For more information about how to grant permissions to the RAM user, see Grant permissions to a RAM user.

    • dds:CheckServiceLinkedRole: This permission is a custom policy. You need to create a custom policy in the RAM console before you attach the policy to the RAM user. For more information about how to create a custom policy on the JSON tab, see Create custom policies. For more information about how to grant permissions to the RAM user, see Grant permissions to a RAM user.

      The following example shows the script of the dds:CheckServiceLinkedRole policy:

      {
      	"Version": "1",
      	"Statement": [
      		{
      			"Effect": "Allow",
      			"Action": "dds:CheckServiceLinkedRole",
      			"Resource": "*"
      		}
      	]
      }
  • If you want to access audit logs as a RAM user, you need to grant the AliyunLogFullAccess or AliyunLogReadOnlyAccess permission to the RAM user. For more information about how to grant permissions to the RAM user, see Grant permissions to a RAM user.

Usage notes

  • After you enable the audit log feature for an instance, ApsaraDB for MongoDB audits and logs the write operations that are performed on the instance. The instance may experience a performance decrease of 5% to 15% and specific amount of latency and jitter. The performance decrease, latency, and jitter vary with the amount of data that is written or audited.

    Note

    Your application may write a large amount of data to an instance. To prevent performance from decreasing in such scenarios, we recommend that you enable the audit log feature only for troubleshooting issues or auditing the security of the instance.

  • By default, after the audit log feature is enabled, the selected operation types are admin and slow. For more information about how to change operation types, see Modify operation types for audit logs.

  • The specified log retention period for an instance is applicable to the instance and all other instances that reside within the same region as the instance. Other operations are applicable only to the current instance.

  • If you want to retain audit logs for a longer period of time or use larger storage space for audit logs during the free trial of this feature, you can upgrade the free trial edition to the official edition. For more information, see Upgrade to the official edition.

Billing rules

You are charged fees for the official edition of the audit log feature based on the storage capacity used by audit logs and the retention period of the audit logs. The following table lists the storage unit price of the audit log feature in different regions.

Region

Unit price (USD per GB-hour)

Regions in the Chinese mainland

0.002

China (Hong Kong)

0.006

Singapore

Australia (Sydney)

UAE (Dubai)

US (Silicon Valley)

US (Virginia)

UK (London)

Germany (Frankfurt)

India (Mumbai) Closing Down

0.004

Japan (Tokyo)

Malaysia (Kuala Lumpur)

Indonesia (Jakarta)

Philippines (Manila)

Important

The preceding unit price of backup is for reference only. The unit price may change when you purchase an instance. The unit price generated in purchase inquiries and bills prevails. For more information, see the Pricing tab of ApsaraDB for MongoDB buy page.

You can also use the methods described in the following table to reduce fees incurred for audit logs.

Method

Risk

References

Specify a shorter retention period

This shortens the traceable history time of audit logs.

Modify the retention period for audit logs

Select less audit operation types

After a specified audit operation type is removed, the audit logs for this operation type are no longer uploaded.

Note

After a specified audit operation type is removed, only the existing audit log data of this operation type is reserved within the retention period.

For example, you specify a retention period of five days and select the following audit operation types: admin, slow, and query. If you remove the query operation at 00:00:00 on October 10, 2022, the audit logs for the query operation generated after that time are no longer saved. The audit logs for the query generated from 00:00:00 on October 05, 2022 to 00:00:00 on October 10, 2022 also gradually expire and are automatically deleted after they expire.

Modify operation types for audit logs

Disable the audit log feature

After you disable the audit log feature, the audit logs of the instance are not uploaded. You cannot track and audit subsequent operations on the instance.

Note

Only the audit logs within the retention period that ends at the time when you disable the audit log feature are retained.

For example, you specify a retention period of five days and disable the audit log feature at 00:00:00 on October 10, 2022. The audit logs generated after that time are no longer saved. The audit logs generated from 00:00:00 on October 5, 2022 to 00:00:00 on October 10, 2022 also gradually expire and are automatically deleted.

Disable the audit log feature

Procedure

Note

You can enable the audit log feature without the need to restart your instance.

  1. Log on to the ApsaraDB for MongoDB console.

  2. In the left-side navigation pane, click Replica Set Instances or Sharded Cluster Instances.

  3. In the upper-left corner of the page that appears, select the resource group and region to which the desired instance belongs.

  4. Click the ID of the instance that you want to manage or click Manage in the Actions column.

  5. In the left-side navigation pane of the instance details page, choose Data Security > Audit Logs.

  6. On the Latest Audit Logs page, configure the Log Retention Period parameter.

    • The valid values of the parameter is 1 to 365. The default value is 30. The parameter is measured in days.

    • The specified log retention period for an instance is applicable to the instance and all other instances that reside within the same region as the instance. We recommend that you evaluate the retention period of audit logs for all instances within the same region before you configure the parameter.

  7. Click Enable Audit Logs.

    Note

    When the audit log feature is enabled, ApsaraDB for MongoDB automatically obtains the AliyunServiceRoleForMongoDB role. This role allows ApsaraDB for MongoDB to use audit logs from Log Service.

  8. In the Enable Audit Logs message, read the prompt and click OK.

Related tasks

After you enable the audit log feature, you can go to the Mongo audit log center page to view the billable storage capacity of audit logs in the current region.审计日志容量

Related API operations

Operation

Description

DescribeAuditPolicy

Queries whether the audit log feature is enabled for an ApsaraDB for MongoDB instance.

ModifyAuditPolicy

Enables or disables the audit log feature for an ApsaraDB for MongoDB instance. If you enable the feature, you can also specify a retention period for audit logs.

References