Hi,
I’m trying to use mongodb auditLog.
In order to do so- I’ve changed the configuration file according to the documentation and it works fine.
The problem is that in order for it to work I have to restart mongod service.
Is there any option to change set auditLog without restarting mongod?
If not- is there at least a way to change the filter without restarting mongod? that’s something I need to change more often and restarting mongod isn’t an option
Thanks for your help,
Ofer
Auditing is intentionally configured via the process configuration file so audit filters cannot be changed or disabled via a compromised MongoDB user account.
Can you explain your use case for changing audit filtering frequently? There is likely an alternative approach to recommend.
Regards,
Stennie
Hi Stennie, thanks for your quick response.
I want to allow users to change the policy, so that every user will be able to see only the logs he needs.
The current solution that I found is to change the filter according to the specific user’s required policy, but then I have to restart mongod whenever the user want to change his policy.
Another solution I have is to filter the logs after mongodb is writing them, but writing all logs and then deleting unnecessary ones causes overload (unsurprisingly)
Ofer
Hi Ofer,
Auditing is intended to be a server-level configuration option rather than a per-user setting, as the typical use case is for compliance.
What audit events are you allowing your users to configure? You might want to look into Change Streams or database profiling as possible runtime alternatives.
A more typical multi-user approach for shared logging would be to send logs to a central service (for example, Splunk or Graylog) which provides filtering, dashboards, and role-based access control.
Regards,
Stennie