Audit a specific collection and all user events

Hi guys, I’m trying to audit CRUD events in a specific collections and user events, but when I add a second atype to my filter it stops to register events. It doesn’t throws any error at the start the mongod process.

Here is my filter:

auditLog:
destination: file
format: JSON
path: /mongodb/audit.json
filter: ‘{ atype: { $in: [ “createCollection”,“createDatabase”,“createIndex”,“renameCollection”,“dropCollection”,“dropDatabase”,“dropIndex”,“createUser”,“dropUser”,“dropAllUsersFromDatabase”,“updateUser”,“grantRolesToUser”,“revokeRolesFromUser”,“createRole”,“updateRole”,“dropRole”,“dropAllRolesFromDatabase”,“grantRolesToRole”,“revokeRolesFromRole”,“grantPrivilegesToRole”,“revokePrivilegesFromRole”,“shutdown” ] }, atype: “authCheck”,“param.ns”: “test.orders”, “param.command”: { $in: [ “find”, “insert”, “delete”, “update”, “findandmodify” ] } }’

setParameter: { auditAuthorizationSuccess: true }

What I am doing wrong?

Hello @Oscar_Cervantes, the filter is a JSON. A JSON with same keys (or fields) result in one key only. For example, in mongo shell try this:

> var j1 = { a: 12, b: "xyz" }
> j1 // returns { "a" : 12, "b" : "xyz" }

> var j2 = { a: 761, b: "mno", a: 900 }
> j2 // returns { "a" : 900, "b" : "mno" }

Note the j2 has a single key with the name a. That is exactly what is happening with your query filter - only one atype is considered.

1 Like

Got it!, thank you very much, then should be like this

filter: '{ atype: { $in: [ "createCollection", ... ,"authCheck"]},
             "param.ns": "test.orders", 
			 "param.command": { $in: [ "find", "insert", "delete", "update", "findandmodify" ] }'

Then I shuld apply querys in expressions, right?

question, is every expression an “and”?, I mean, in my example, results should accomplish “param.ns” and “param.command”

Thanks

Hello @Oscar_Cervantes, in a query filter the $and is implicitly applied - so you don’t need to specify it explicitly. For example,

{ a: 3, b: "apples", c: 24.55 }
is same as
{ $and: [ { a: 3 }, { b: "apples" }, { c: 24.55 } ] }

then if I need ors they should be in the same expression?

{ $or: [ { param.ns: 3 }, { param.command: “apples” }, { param.user: 24.55 } ] }

Yes, that is the correct usage of the $or operator.