Audit Events

Amazon DocumentDB will optionally record audit events for certain operations. In the last section you enabled audit logs along with the profiler. In this section you will explore the audit event data.

Viewing audit logs

You can see the audit logs by going to the Amazon CloudWatch console, selecting Logs -> Log groups in the navigation pane, and searching for the Log group /aws/docdb/<DbClusterIdentifier>/audit.

Amazon CloudWatch Logs

Click on the audit log group and you will see a log stream for each database instance.

Amazon CloudWatch Log Stream

Click on a log stream to see the audit log contents.

Amazon CloudWatch Log Event

Supported events include authentication and creating databases and collections, so you can try out a few sample commands and watch for the audit events to appear. For example, on Cloud 9, open a Mongo shell and insert a document into a new collection:

db.new_collection.insert({'data': 1})

You will see an audit event corresponding to the creation of the new collection.

Log queries

You can do simple log filtering by typing a search into into the Log events search box. For example, to look only for events affecting the user labuser:

Amazon CloudWatch Log Filter

For more advanced analysis, you can use Amazon CloudWatch Logs Insights. Go to the Insights part of the Amazon CloudWatch console.

Amazon CloudWatch Log Insights

Enter /aws/docdb/ into the search box to filter the available log groups, and select the log group for your database’s audit events.

Amazon CloudWatch Log Insights Select

Enter this query to only look at createCollection events:

filter atype="createCollection"  | sort millis desc | limit 10

Click Run query.

Amazon CloudWatch Log Insights Results