Skip to content

MongoDB audit logging is Enterprise only

Severity: lowApplies to: MongoDB Community 6.x / 7.x / 8.x
The fix/etc/mongod.conf
# Enterprise only — this will not start on Community:
# auditLog:
# destination: file
# format: JSON
# path: /var/log/mongodb/audit.json
# What Community actually gives you:
systemLog:
destination: file
path: /var/log/mongodb/mongod.log
logAppend: true
verbosity: 0
component:
accessControl:
verbosity: 1

MongoDB’s auditing facility is Enterprise only. It is not available in Community Edition — not disabled by default, not behind a flag. The feature isn’t in the binary.

This is worth stating plainly because “enable audit logging” appears on nearly every MongoDB hardening checklist, generally without mentioning that following it requires MongoDB Enterprise Advanced or Atlas. If you’re running the Community edition you installed from MongoDB’s repo, auditLog in your config will stop the server from starting, and that is the only feedback you get.

If you genuinely need auditing for a compliance obligation, that is a purchasing decision, not a configuration one. Knowing that now is cheaper than finding out during an audit.

Less than an audit log, but not nothing:

Authentication events in mongod.log. Successful and failed authentications are logged by the accessControl component. Raising that component’s verbosity to 1 gets you connection and authentication detail without the firehose of raising global verbosity. This is the closest thing to an authentication audit trail you have, and it is genuinely useful during an incident.

The profiler, with caveats. db.setProfilingLevel(2) records every operation into system.profile. It is built for performance analysis, not security, and it shows:

db.setProfilingLevel(2)
db.system.profile.find().sort({ ts: -1 }).limit(5).pretty()

Understand what you’re accepting before leaving it on:

  • It is per-database, so you’d enable it everywhere and check everywhere.
  • It costs performance on every operation.
  • It writes your queries into a collection — including their filter values. That means personal data, tokens and anything else in a query predicate now lives in system.profile, which is inside the database with its own access rules and gets picked up by your backups. You may have created a disclosure problem while trying to create an audit trail.
  • It is a capped collection, so it silently discards the oldest entries. It cannot answer “what happened last Tuesday”.

That last point is the one that matters: a capped, rotating buffer is not an audit log, and treating it as one will fail you exactly when you need it.

It closes no exposure. Nothing on this page makes an attack harder — it changes what you can reconstruct afterwards. That’s real value during an incident and zero value before one, which is what low means here.

Order matters more than completeness: authorization, binding and roles prevent the incident. This one only helps you write it up.