MongoDB audit logging is Enterprise only
/etc/mongod.conf# Enterprise only — this will not start on Community:# auditLog:# destination: file# format: JSON# path: /var/log/mongodb/audit.json
# What Community actually gives you:systemLog: destination: file path: /var/log/mongodb/mongod.log logAppend: true verbosity: 0 component: accessControl: verbosity: 1The thing to know first
Section titled “The thing to know first”MongoDB’s auditing facility is Enterprise only. It is not available in Community Edition — not disabled by default, not behind a flag. The feature isn’t in the binary.
This is worth stating plainly because “enable audit logging” appears on nearly
every MongoDB hardening checklist, generally without mentioning that following it
requires MongoDB Enterprise Advanced or Atlas. If you’re running the Community
edition you installed from MongoDB’s repo, auditLog in your config will stop the
server from starting, and that is the only feedback you get.
If you genuinely need auditing for a compliance obligation, that is a purchasing decision, not a configuration one. Knowing that now is cheaper than finding out during an audit.
What Community actually gives you
Section titled “What Community actually gives you”Less than an audit log, but not nothing:
Authentication events in mongod.log. Successful and failed authentications
are logged by the accessControl component. Raising that component’s verbosity to
1 gets you connection and authentication detail without the firehose of raising
global verbosity. This is the closest thing to an authentication audit trail you
have, and it is genuinely useful during an incident.
The profiler, with caveats. db.setProfilingLevel(2) records every operation
into system.profile. It is built for performance analysis, not security, and it
shows:
db.setProfilingLevel(2)db.system.profile.find().sort({ ts: -1 }).limit(5).pretty()Understand what you’re accepting before leaving it on:
- It is per-database, so you’d enable it everywhere and check everywhere.
- It costs performance on every operation.
- It writes your queries into a collection — including their filter values.
That means personal data, tokens and anything else in a query predicate now
lives in
system.profile, which is inside the database with its own access rules and gets picked up by your backups. You may have created a disclosure problem while trying to create an audit trail. - It is a capped collection, so it silently discards the oldest entries. It cannot answer “what happened last Tuesday”.
That last point is the one that matters: a capped, rotating buffer is not an audit log, and treating it as one will fail you exactly when you need it.
Why this is low
Section titled “Why this is low”It closes no exposure. Nothing on this page makes an attack harder — it changes
what you can reconstruct afterwards. That’s real value during an incident and
zero value before one, which is what low means here.
Order matters more than completeness: authorization, binding and roles prevent the incident. This one only helps you write it up.
Related
Section titled “Related”- Enable authorization — there is nothing to log until users exist.
- MongoDB exposed to the internet — where you’ll wish you had this.