[SERVER-41635] MDB native audit only supports 2 error codes Created: 11/Jun/19  Updated: 11/Jul/19  Resolved: 11/Jul/19

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: barak gilboa Assignee: Eric Sedor
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:

 Description   

MDB native audit only supports the following error codes:

  • 13 - "Unauthorized"
  • 18 - "AuthenticationFailed"

need to add support for other failures as well.

in addition the error code doesn't included in the audit log (we deduce if from MDB code and documentation)

This issue is relevant to MDB on-prem and MDB Atlas



 Comments   
Comment by Eric Sedor [ 11/Jul/19 ]

Thanks again for your suggestion. However, we are going to close this as the audit log is intended to provide primarily authentication/authorization related information.

Comment by Eric Sedor [ 18/Jun/19 ]

Thanks for clarifying. The result indicated in this example is for the authCheck event prompted by the insert (which was successful independent of the result of the insert itself). The Audit Log is intended for this sort of system level activity, not for providing specific details about the results of CRUD operations.

For more richly tracking the results of specific operations, we recommend other sources of information such as the mongod logs, using Change Streams, or profiling via the system.profile collection.

Does this make sense?

Comment by barak gilboa [ 13/Jun/19 ]

Hi Eric,

The use case we are interested in is extracting data on events that occurred on the platform.

We would like to review commands and instructions that happened, if they failed or succeeded, the user which initiated the instructions and other data as well.

We can see in your doc. that only the following two are supported. - link

Regarding error codes, for instance, when inserting 2 documents with the same ID, error code 11000 is created in the mongo message. this error is not reflected in the native audit log, in oppose to "Unauthorized" and "AuthenticationFailed" errors with are supported. 

As we see it, every transaction that failed to get executed should be reflected in the audit log under "result :" field. 

Another issue with "result" is that only code is provided and not error message as well.

 

Example of error not appearing in audit:

// code placeholder

command in mongo shell:

db.test.insert({"_id" : "1", "val":"user"})

WriteResult({ "nInserted" : 1 })

db.test.insert({"_id" : "1", "val":"user"})

WriteResult({ "nInserted" : 0, "writeError" : { "code" : 11000, "errmsg" : "E11000 duplicate key error collection: admin.test index: id dup key: { : \"1\" }" } })

 

Audit log representing the event:

{ "atype" : "authCheck", "ts" : \{ "$date" : "2019-06-13T15:11:17.116+0300" }

, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 41884 }, "users" : [ { "user" : "siteadmin", "db" : "admin" } ], "roles" : [ { "role" : "root", "db" : "admin" }, { "role" : "userAdminAnyDatabase", "db" : "admin" } ], "param" : { "command" : "insert", "ns" : "admin.test", "args" : { "insert" : "test", "ordered" : true, "lsid" : { "id" :

{ "$binary" : "BalL5sLBSWG5vzQY/+5Yxg==", "$type" : "04" }

}, "$db" : "admin", "documents" : [ { "_id" : "1", "val" : "user" } ] } }, "result" : 0 }

 

Comment by Eric Sedor [ 12/Jun/19 ]

Hi barak.gilboa@imperva.com,

Can you please help us understand and reason about this request by elaborating on your use-case and what purpose the audit log is serving in your system?

We'd also be interested in some errors you feel you aren't able to track in either the audit log or the mongod logs.

Thanks in advance.

Generated at Thu Feb 08 04:58:16 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.