how to query official audit log information - ApsaraDB for MongoDB

This topic describes how to query audit logs for ApsaraDB for MongoDB.

Prerequisites

The audit log feature is enabled. For more information, see Enable the audit log feature.

Query audit logs

Log on to the MongoDB console.
In the navigation pane on the left, click Replica Set Instances or Sharded Cluster Instances based on the instance type.
In the upper-left corner of the page, select the resource group and region where the instance is located.
Click the ID of the target instance or click Manage in the Actions column of the target instance.
In the navigation pane on the left of the instance details page, click Data Security > Audit Logs.
On the Mongo audit log center page, you can view the audit logs. By default, the page displays audit logs from the last 15 Minutes (Relative).
Click Refresh in the upper-right corner of the Mongo audit log center page to set the refresh rate.
- Once
  Refreshes the audit logs immediately.
- Automactic Refresh
  Sets the refresh interval to 15 Second, 60 Second, 5 Minutes, or 15 Minutes.
  Note
  If you want to change the auto-refresh interval, click the current setting (e.g., "15Second" or "5 Minutes"), then click "Close". Then click Refresh to set a new one.

Filter audit logs using filter conditions

You can use filter conditions to locate specific audit logs.

Log on to the MongoDB console.
In the navigation pane on the left, click Replica Set Instances or Sharded Cluster Instances based on the instance type.
In the upper-left corner of the page, select the resource group and region where the instance is located.
Click the ID of the target instance or click Manage in the Actions column of the target instance.
In the navigation pane on the left of the instance details page, click Data Security > Audit Logs.

On the Mongo audit log center page, set the filter conditions in the filter area.

The following table describes the filter conditions.

Filter condition	Description
Keyword	Filter audit logs by keyword, such as client IP address, executed command, account, and extension information. list When you filter audit logs by keyword, you must enter the complete information. Fuzzy search is not supported. For example: If you use a client IP address (IPv4 address) as the keyword, you must enter all four fields in dotted decimal notation, such as 192.168.1.1, not 192.168 or 1.1. If you use a command as the keyword, you must enter the full command name, such as AUTH or auth, not au. If a keyword contains a colon (:), enclose the keyword in double quotation marks (""). For example: `"userId:1"`.
Operation Type	Filter audit logs by operation type.
Client IP Address	Filter audit logs by the IP address of the client that connects to the ApsaraDB for MongoDB instance. For example: If an ECS instance connects to the ApsaraDB for MongoDB instance over the internet, enter the public IP address of the ECS instance. If an ECS instance connects to the ApsaraDB for MongoDB instance over a Virtual Private Cloud (VPC), enter the private IP address of the ECS instance.
Database Name	Filter audit logs by database name.
Set Name	Filter audit logs by collection name.
Username	Filter audit logs by username.

Filter audit logs using the time picker

You can use the time picker to query audit logs from a specific time period.

Log on to the MongoDB console.
In the navigation pane on the left, click Replica Set Instances or Sharded Cluster Instances based on the instance type.
In the upper-left corner of the page, select the resource group and region where the instance is located.
Click the ID of the target instance or click Manage in the Actions column of the target instance.
In the navigation pane on the left of the instance details page, click Data Security > Audit Logs.
On the Mongo audit log center page, click Select Time Range on the right.

In the Select Time Range panel, select a time period.

The following table describes the functional areas of the time picker.

Functional area	Description
Time details	When you move the mouse pointer over a time option in the Relative time or Time frame area, this area displays the corresponding time period, which is the specific time range for querying audit logs.
Relative time	Select a time period relative to the current point in time. When you move the mouse pointer over an option, you can view the corresponding time period in the Time details area.
Time frame	Select a time frame with a granularity of a minute or more. When you move the mouse pointer over an option, you can view the corresponding time period in the Time details area.
Custom time	Specify a custom time period. After you enter the custom time, click Confirm to apply it. Note The minimum time granularity for a query is one minute. To query audit logs with a precision of seconds, log on to the Simple Log Service console and enter a query statement. For more information about how to query audit logs with a precision of seconds, see Quick start for log query and analysis.

Related APIs

API	Description
DescribeAuditRecords	Queries the audit log information of an ApsaraDB for MongoDB instance.

FAQ

Q: Why can I query only 2,000 audit logs at a time?

A: The Mongo Audit Log Center page in the ApsaraDB for MongoDB console displays a maximum of 2,000 audit logs. To query more audit logs, log on to the Simple Log Service console. For more information, see Quick start for log query and analysis.

Q: Why do the audit logs contain only a small amount of data?

A: When you enable the audit log feature, only the admin and slow operation types are selected by default. To change the audited operation types, see Change audited operation types.