Query, filter, and navigate audit logs for your ApsaraDB for MongoDB instance from the Mongo Audit Log Center page in the console.
Before you begin
The audit log feature must be enabled. For more information, see Enable the audit log feature.
Limits
| Limit | Details |
|---|---|
| Logs per query (console) | The Mongo Audit Log Center page displays a maximum of 2,000 audit logs per query. To query more logs, use the Simple Log Service (SLS) console. |
| Minimum time granularity | One minute. For second-level precision, use the SLS console. |
| Default audited operation types | Only admin and slow operations are audited by default when you enable the audit log feature. If your logs contain less data than expected, check your audited operation types. See Change audited operation types. |
Navigate to the Mongo Audit Log Center
Log on to the MongoDB consoleMongoDB consoleMongoDB console.
In the left navigation pane, click Replica Set Instances or Sharded Cluster Instances based on your instance type.
In the upper-left corner, select the resource group and region where your instance is located.
Click the instance ID, or click Manage in the Actions column.
In the left navigation pane of the instance details page, click Data Security > Audit Logs.
The Mongo Audit Log Center page opens. By default, it shows audit logs from the last 15 Minutes (Relative).
Set the refresh rate
Click Refresh in the upper-right corner to configure the refresh rate.
| Option | Description |
|---|---|
| Once | Refreshes audit logs immediately. |
| Automatic Refresh | Sets the auto-refresh interval to 15 Second, 60 Second, 5 Minutes, or 15 Minutes. |
To change the auto-refresh interval, click the current interval setting, then click Close. Click Refresh again to select a new interval.
Filter audit logs
Use the filter area on the Mongo Audit Log Center page to locate specific log entries.
| Filter condition | Description |
|---|---|
| Keyword | Filter by client IP address, executed command, account, or extension information. Keyword search requires an exact match — fuzzy search is not supported. For example: to filter by IPv4 address, enter all four fields in dotted-decimal notation (e.g., 192.168.1.1, not 192.168). To filter by command, enter the full command name (e.g., AUTH, not au). If a keyword contains a colon (:), enclose it in double quotation marks (e.g., "userId:1"). |
| Operation Type | Filter by the type of database operation. |
| Client IP Address | Filter by the IP address of the client connecting to the instance. Use the public IP address for connections over the internet, or the private IP address for connections over a Virtual Private Cloud (VPC). |
| Database Name | Filter by database name. |
| Set Name | Filter by collection name. |
| Username | Filter by database username. |
Query audit logs by time range
On the Mongo Audit Log Center page, click Select Time Range on the right.
In the Select Time Range panel, select or specify a time period.
The time picker has four areas:
| Area | Description |
|---|---|
| Time details | Shows the specific time range when you hover over an option in the Relative time or Time frame area. |
| Relative time | Selects a time period relative to the current time. Hover over an option to preview the range in Time details. |
| Time frame | Selects a fixed time frame with a granularity of one minute or more. Hover over an option to preview the range in Time details. |
| Custom time | Specifies a custom time period. Enter the time range and click Confirm to apply. |
Query more than 2,000 logs using Simple Log Service
The Mongo Audit Log Center page is limited to 2,000 logs per query. To query a larger volume of logs or use second-level time precision, use the Simple Log Service (SLS) console.
For more information, see Quick start for log query and analysis.
API reference
| API | Description |
|---|---|
| DescribeAuditRecords | Queries audit log information for an ApsaraDB for MongoDB instance. |
FAQ
Why do my audit logs contain only a small amount of data?
When you enable the audit log feature, only the admin and slow operation types are audited by default. To capture logs from other operations, see Change audited operation types.