Query data generated by the official audit log feature - ApsaraDB for MongoDB

This topic describes how to view audit logs on ApsaraDB for MongoDB.

Prerequisites

The audit log feature is enabled for the instance. For more information, see Enable the audit log feature.

Query audit logs

Log on to the ApsaraDB for MongoDB console.
In the left-side navigation pane, click Replica Set Instances or Sharded Cluster Instances.
In the upper-left corner of the page, select the resource group and region to which the instance belongs.
Click the ID of the instance that you want to manage or click Manage in the Actions column.
In the left-side navigation pane of the instance details page, choose Data Security > Audit Logs.
On the Mongo audit log center page, query the details of audit logs. By default, the audit logs of 15 minutes (relative) are displayed.
You can click Refresh in the upper-right corner of the Mongo audit log center page to set the refresh frequency of audit logs.
- Once
  Specifies to immediately refresh audit logs.
- Automatic Refresh
  Specifies to refresh audit logs every 15 seconds, 60 seconds, 5 minutes, or 15 minutes.
  Note
  If you do not want to use the auto-refresh interval specified by this parameter, choose Refresh > Close to clear the current parameter setting, and then reset this parameter.

Filter the audit logs of the instance

You can view the audit logs that meet specified filter conditions.

Log on to the ApsaraDB for MongoDB console.
In the left-side navigation pane, click Replica Set Instances or Sharded Cluster Instances.
In the upper-left corner of the page, select the resource group and region to which the instance belongs.
Click the ID of the instance that you want to manage or click Manage in the Actions column.
In the left-side navigation pane of the instance details page, choose Data Security > Audit Logs.

On the Mongo audit log center page, specify the filter conditions.

The following table describes filter conditions that you can specify.

Filter condition	Description
Keyword	The keyword that is included in the audit logs to be viewed. A keyword can be a client IP address, a command, a username, or other extended information. The Keyword field supports exact match. You must enter complete information in the Keyword field. Examples: If you want to specify an IP address as a keyword, you must enter a complete IP address such as 192.168.1.1, not a partial IP address such as 192.168 or 1.1. If you want to specify a command as a keyword, you must enter a complete command such as AUTH or auth. Do not enter au. If a keyword contains a colon (:), enclose the keyword in a pair of double quotation marks (""). Example: `"userId:1"`.
Operation Type	The type of the operation.
Client IP Address	The client IP address that is used to connect to the instance. Examples: If an Elastic Compute Service (ECS) instance is connected to the ApsaraDB for MongoDB instance over the Internet, enter the public IP address of the ECS instance. If the ECS instance is connected to the ApsaraDB for MongoDB instance by using a virtual private cloud (VPC), enter the private IP address of the ECS instance.
Database Name	The name of the database.
Set Name	The name of the collection.
Username	The username that is used to connect to the instance.

View the audit logs of an instance over a specified time range

You can use the time picker to specify a time range.

Log on to the ApsaraDB for MongoDB console.
In the left-side navigation pane, click Replica Set Instances or Sharded Cluster Instances.
In the upper-left corner of the page, select the resource group and region to which the instance belongs.
Click the ID of the instance that you want to manage or click Manage in the Actions column.
In the left-side navigation pane of the instance details page, choose Data Security > Audit Logs.
On the Mongo audit log center page, click Time Range.

In the Time panel, select a time range.

The following table describes the selections of the time picker.

Section	Description
Time details	When you move the pointer over a time option in the Relative section or Time Frame section, the time details section displays the time range that matches the selected time option.
Relative	Select a time range relative to the current time point. When you move the pointer over a time option in this section, the time details section displays the time range that maps the selected time option.
Time Frame	Select a time range that is accurate to the minute, hour, week, or day. When you move the pointer over a time option in this section, the time details section displays the time range that maps the selected time option.
Custom	Specify a custom time range. After you click OK, the custom time range is applied. Note The minimum query time is minute. To query audit logs accurate to seconds, log on to the Log Service console and enter a query or analytic statement. For more information about how to query audit logs within seconds, see Guide to log query and analysis.

Related API operations

Operation	Description
DescribeAuditRecords	Queries the audit logs of an ApsaraDB for MongoDB instance.

FAQ

Why do I view only 2,000 audit log entries?

The Mongo audit log center page of the ApsaraDB for MongoDB console displays a maximum of 2,000 audit log entries. To view more audit log entries, log on to the Log Service console. For more information, see Guide to log query and analysis.

Why do audit logs contain a small amount of data?

By default, after the audit log feature is enabled, the selected operation types are admin and slow. For more information about how to change operation types, see Modify operation types for audit logs.