Audit Events

Amazon DocumentDB will optionally record audit events for certain operations. In the last section we enabled audit logs along with the profiler. In this section we’ll explore the audit event data.

Viewing audit logs

You can see the audit logs by going to the Amazon CloudWatch console, selecting Logs -> Log groups in the navigation pane, and searching for the Log group /aws/docdb/<DbClusterIdentifier>/audit.

Amazon CloudWatch Logs

Click on the log group and you’ll see a log stream for the affected database instance(s).

Amazon CloudWatch Log Stream

Click on the log stream and you’ll see example log output.

Amazon CloudWatch Log Event

Supported events include authentication and creating databases and collections, so you can try out a few sample commands and watch for the audit events to appear. For example, on Cloud 9, open a Mongo shell, and try:

db.new_collection.insert({'data': 1})

You should see an audit event for the new collection creation.

Log queries

You can do simple log filtering by typing a search into into the Log events search box. For example, to look only for events affecting the user MasterUser:

Amazon CloudWatch Log Filter

For more advanced analysis, you can use Amazon CloudWatch Logs Insights

For example, let’s go to the Insights part of the Amazon CloudWatch console.

Amazon CloudWatch Log Insights

Enter /aws/docdb/ into the search box to start filtering the available log groups, and select the log group for your database’s audit events.

Amazon CloudWatch Log Insights Select

Enter this query to only look at createCollection events:

filter atype="createCollection"  | sort millis desc | limit 10

Click Run query.

Amazon CloudWatch Log Insights Results