[SERVER-41635] MDB native audit only supports 2 error codes Created: 11/Jun/19 Updated: 11/Jul/19 Resolved: 11/Jul/19 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | barak gilboa | Assignee: | Eric Sedor |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Participants: |
| Description |
|
MDB native audit only supports the following error codes:
need to add support for other failures as well. in addition the error code doesn't included in the audit log (we deduce if from MDB code and documentation) This issue is relevant to MDB on-prem and MDB Atlas |
| Comments |
| Comment by Eric Sedor [ 11/Jul/19 ] | |
|
Thanks again for your suggestion. However, we are going to close this as the audit log is intended to provide primarily authentication/authorization related information. | |
| Comment by Eric Sedor [ 18/Jun/19 ] | |
|
Thanks for clarifying. The result indicated in this example is for the authCheck event prompted by the insert (which was successful independent of the result of the insert itself). The Audit Log is intended for this sort of system level activity, not for providing specific details about the results of CRUD operations. For more richly tracking the results of specific operations, we recommend other sources of information such as the mongod logs, using Change Streams, or profiling via the system.profile collection. Does this make sense? | |
| Comment by barak gilboa [ 13/Jun/19 ] | |
|
Hi Eric, The use case we are interested in is extracting data on events that occurred on the platform. We would like to review commands and instructions that happened, if they failed or succeeded, the user which initiated the instructions and other data as well. We can see in your doc. that only the following two are supported. - link Regarding error codes, for instance, when inserting 2 documents with the same ID, error code 11000 is created in the mongo message. this error is not reflected in the native audit log, in oppose to "Unauthorized" and "AuthenticationFailed" errors with are supported. As we see it, every transaction that failed to get executed should be reflected in the audit log under "result :" field. Another issue with "result" is that only code is provided and not error message as well.
Example of error not appearing in audit:
command in mongo shell: db.test.insert({"_id" : "1", "val":"user"}) WriteResult({ "nInserted" : 1 }) db.test.insert({"_id" : "1", "val":"user"}) WriteResult({ "nInserted" : 0, "writeError" : { "code" : 11000, "errmsg" : "E11000 duplicate key error collection: admin.test index: id dup key: { : \"1\" }" } })
Audit log representing the event: { "atype" : "authCheck", "ts" : \{ "$date" : "2019-06-13T15:11:17.116+0300" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 41884 }, "users" : [ { "user" : "siteadmin", "db" : "admin" } ], "roles" : [ { "role" : "root", "db" : "admin" }, { "role" : "userAdminAnyDatabase", "db" : "admin" } ], "param" : { "command" : "insert", "ns" : "admin.test", "args" : { "insert" : "test", "ordered" : true, "lsid" : { "id" : { "$binary" : "BalL5sLBSWG5vzQY/+5Yxg==", "$type" : "04" }}, "$db" : "admin", "documents" : [ { "_id" : "1", "val" : "user" } ] } }, "result" : 0 }
| |
| Comment by Eric Sedor [ 12/Jun/19 ] | |
|
Can you please help us understand and reason about this request by elaborating on your use-case and what purpose the audit log is serving in your system? We'd also be interested in some errors you feel you aren't able to track in either the audit log or the mongod logs. Thanks in advance. |