(DOCSP-43346) Auditing and Logging (#33)

JuliaMongo · web-flow · commit 4485252c3dc2 · 2024-11-09T21:56:02.000-05:00
* Draft
* Add TF example
* Copy review
diff --git a/source/auditing-logging.txt b/source/auditing-logging.txt
@@ -1,7 +1,7 @@
 .. _arch-center-auditing-logging:
 
 ====================
-Auditing and Logging 
+Auditing and Logging
 ====================
 
 .. default-domain:: mongodb
@@ -12,40 +12,117 @@ Auditing and Logging
    :depth: 1
    :class: onecol
 
-Intro statement
+To monitor and log |service| platform activities, use auditing and logs.
 
 {+service+} Features and Best Practices for Auditing and Logging
 ----------------------------------------------------------------
 
-Content here
+.. _auditing:
 
-Examples
---------
+Auditing
+~~~~~~~~
 
-The following examples <perform this action> using |service|
-:ref:`tools for automation <arch-center-automation>`.
+Database auditing lets you track system activity for deployments with
+multiple users. As a |service| administrator, you can:
 
-.. tabs::
+- Rely on default auditing settings in |service|. By default, |service|
+  performs database authentication auditing in ``M10+`` {+clusters+} to
+  record authentication events, including those pertaining to:
+
+  - database users
+  - source IP addresses
+  - timestamps for successful and failed attempts
+
+- Configure a JSON-formatted audit filter to customize MongoDB auditing
+  and select the actions, database users, |service| roles, and |ldap| groups
+  that you want to audit. If you create a custom audit filter, you can
+  skip using the managed {+atlas-ui+} auditing filter builder and configure
+  your own tailored filter of event auditing.
+  
+  You can :manual:`configure manual auditing </core/auditing>` of most of the
+  documented :manual:`system event actions </reference/audit-message/mongo/>`
+  in |service|. Granular MongoDB database auditing allows you to track
+  usage of all DDL (Data Definition Language), DML (Data Manipulation Language),
+  and DCL (Data Control Language) commands in detail. For a full list of
+  events you can configure for auditing, and for a list of examples,
+  see :manual:`MongoDB auditing </core/auditing>`. See also
+  :atlas:`Set up Database Auditing </database-auditing>`.
+
+- :atlas:`Audit the actions of temporary database users </production-notes/#audit-temporary-database-users>`.
+
+.. _accessing-audit-logs:
+
+Accessing Audit Logs
+~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/cloud-docs/logs.rst
+
+To retrieve the audit logs using the {+atlas-admin-api+}, see
+:oas-atlas-op:`Logs </downloadLogsForOneClusterHostInOneProject>`. You
+can use these API commands:
+
+- :ref:`atlas-auditing-describe <atlas-auditing-describe>` returns the
+  auditing configuration for the specified project.
+- :ref:`atlas-auditing-update <atlas-auditing-update>` updates
+  the auditing configuration for the specified project.
 
-   .. tab:: Dev and Test Environments
-      :tabid: devtest
+You can :ref:`view authentication attempts <access-tracking>` that users
+make against your {+cluster+}. |service| logs both successful and unsuccessful
+authentication attempts, including the timestamp of each attempt and which
+user tried to authenticate.
 
-      .. include:: /includes/shared-settings-clusters-devtest.rst
+You can :ref:`view and filter the activity feed <view-activity-feed>`
+for an organization or project.
 
-   .. tab:: Staging and Prod Environments
-      :tabid: stagingprod
+To perform a full audit, you can use a combination of audit logs,
+the ``mongodb.log``, and :ref:`the project activity feed <view-activity-feed>`.
 
-      .. include:: /includes/shared-settings-clusters-stagingprod.rst
+You can use the ``atlas deployments logs`` command in the {+atlas-cli+}
+to retrieve deployment logs. To learn more,
+see :atlas:`Atlas Deployment Logs </cli/current/command/atlas-deployments-logs/>`.
+
+Examples
+--------
+
+The following examples show how to download logs and enable auditing
+using |service| :ref:`tools for automation <arch-center-automation>`.
+
+In addition to the following examples, see the blogpost
+`Streamlining Log Management to Amazon S3 Using Atlas Push-based Log Exports With HashiCorp Terraform <https://www.mongodb.com/developer/products/atlas/streamlining-log-management-amazon-s3-atlas-push-based-log-exports-hashicorp-terraform/>`__.
 
 .. tabs::
 
    .. tab:: CLI
       :tabid: cli
 
-      Content here
+      Download Logs
+      ~~~~~~~~~~~~~
+
+      Run the following CLI command to download a compressed file that contains the
+      MongoDB logs for the specified host in your project.
+
+      .. include:: /includes/examples/cli-example-download-logs.rst
 
    .. tab:: Terraform
       :tabid: Terraform
+ 
+      The following example demonstrates how to enable auditing for
+      your deployment. Before you can create resources with Terraform,
+      you must:
+
+      - :ref:`Create your paying organization <configure-paying-org>`
+        and :ref:`create an API key <atlas-admin-api-access>` for the
+        paying organization. Store your public and private keys as
+        environment variables by running the following commands in the terminal:
+
+        .. code-block::
+
+           export MONGODB_ATLAS_PUBLIC_KEY="<insert your public key here>"
+           export MONGODB_ATLAS_PRIVATE_KEY="<insert your private key here>"
+
+      - `Install Terraform <https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli>`__.
 
-      Content here
+      Enable Auditing and Create an Auditing Filter for the {+Cluster+}
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
+      .. include:: /includes/examples/tf-example-auditing-filter.rst
diff --git a/source/includes/cloud-docs/logs.rst b/source/includes/cloud-docs/logs.rst
@@ -0,0 +1,6 @@
+You can download |service| logs at any point until the end of their
+retention periods by using the {+atlas-ui+}, {+atlas-admin-api+}, and
+{+atlas-cli+}. |service| retains the last 30 days of log messages and
+system event audit messages.
+
+To learn more, see :ref:`mongodb-logs`.
diff --git a/source/includes/examples/tf-example-auditing-filter.rst b/source/includes/examples/tf-example-auditing-filter.rst
@@ -0,0 +1,60 @@
+.. code-block:: shell 
+   :copyable: true 
+
+   # Create a project
+   resource "mongodbatlas_project" "project_test" {
+     name   = var.project_name
+     org_id = var.org_id
+   }
+
+   # Create a cluster with three nodes
+   resource "mongodbatlas_advanced_cluster" "cluster_test" {
+     project_id   = mongodbatlas_project.project_test.id
+     name         = var.cluster_name
+     cluster_type = "REPLICASET"
+
+     replication_specs {
+       region_configs {
+         priority      = 7
+         provider_name = "AWS"
+         region_name   = "US_EAST_1"
+         electable_specs {
+           instance_size = "M10"
+           node_count    = 3
+         }
+       }
+     }
+   }
+
+   # Specify an auditing resource and enable auditing for a project.
+   # To configure auditing, specify the unique project ID. If you change
+   # this value to a different "project_id", this deletes the current audit
+   # settings for the original project.
+
+   # "audit_authorization_success" indicates whether the auditing system
+   # captures successful authentication attempts for audit filters using
+   # the "atype" : "authCheck" auditing event. Warning! If you set
+   # "audit_authorization_success" to "true", this can severely impact
+   # cluster performance. Enable this option with caution.
+
+   # "audit_filter" is the JSON-formatted audit filter.
+   # "enabled" denotes whether or not the project associated with the
+   # specified "{project_id}"" has database auditing enabled. Defaults to "false".
+
+   # Auditing created by API Keys must belong to an existing organization.
+
+   # In addition to arguments listed previously, the following attributes
+   # are exported:
+
+   # "configuration_type" denotes the configuration method for the audit filter.
+   # Possible values are:
+   # - "NONE" - auditing is not configured for the project.
+   # - "FILTER_BUILDER" - auditing is configured via the Atlas UI filter builder.
+   # - "FILTER_JSON" - auditing is configured via a custom filter in Atlas or API.
+
+   resource "mongodbatlas_auditing" "test" {
+        project_id                  = "mongodbatlas_project.project_test.id"
+        audit_filter                = "{ 'atype': 'authenticate', 'param': {   'user': 'auditAdmin',   'db': 'admin',   'mechanism': 'SCRAM-SHA-1' }}"
+        audit_authorization_success = false
+        enabled                     = true
+    }
diff --git a/source/landing-zone.txt b/source/landing-zone.txt
@@ -38,7 +38,7 @@ A landing zone is a well-architected and pre-configured environment for
 working in the cloud that conforms to your organization's unique
 requirements. A landing zone is often a prerequisite for enterprises to
 move workloads to the cloud, and it is is often provisioned
-programatically using an API or tools like Terraform.
+programmatically using an API or tools like Terraform.
 
 An {+service+} landing zone defines how your team will work in
 {+service+}, including the internal settings and tools they should use,
diff --git a/source/monitoring-alerts.txt b/source/monitoring-alerts.txt
@@ -334,12 +334,7 @@ To learn more, see :ref:`namespace-insights`.
 Recommendations for Monitoring by Using Logs 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-You can download |service| logs at any point until the end of their
-retention periods by using the {+atlas-ui+}, {+atlas-admin-api+}, and
-{+atlas-cli+}. |service| retains the last 30 days of log messages and
-system event audit messages. 
-
-To learn more, see :ref:`mongodb-logs`.
+.. include:: /includes/cloud-docs/logs.rst
 
 Examples
 --------
