Audit Logs
View, filter, and export comprehensive audit logs for compliance and security monitoring
Audit Logs Enterprise
Audit logs provide a complete record of all actions performed in your workspace, enabling compliance tracking, security monitoring, and forensic investigation.
Overview
MongoDash automatically captures detailed audit logs for all workspace activities, including:
- User authentication - Sign-ins, sign-outs, failed login attempts
- Data operations - Document reads, writes, updates, and deletions
- Administrative actions - User invitations, role changes, workspace settings
- API activity - REST API calls, webhook triggers, scheduled query executions
- Permission changes - Role assignments, access grants, security policy updates
Audit logs are available exclusively on the Enterprise plan and are retained according to your configured retention policy.
Accessing Audit Logs
Navigate to Workspace Settings from the workspace dropdown menu.
Select Audit & Compliance from the left sidebar.
Click the Audit Logs tab to view all recorded events.
Understanding Log Entries
Each audit log entry contains:
- Timestamp - Exact date and time (UTC) when the action occurred
- User - Email address or API key identifier of the actor
- Action - Specific operation performed (e.g.,
document.update,user.invite) - Resource - Target resource (collection name, user ID, setting name)
- IP Address - Source IP address of the request
- Status - Success or failure indicator
- Details - Additional context including query parameters, affected document counts
Example Log Entry
{
"id": "log_2024_abc123",
"timestamp": "2024-02-24T14:32:10.523Z",
"actor": {
"type": "user",
"email": "admin@company.com",
"id": "usr_xyz789"
},
"action": "collection.documents.delete",
"resource": {
"type": "collection",
"database": "production_db",
"collection": "users",
"connection": "conn_main_prod"
},
"metadata": {
"documentsAffected": 3,
"filter": "{\"status\": \"inactive\"}",
"ipAddress": "203.0.113.42",
"userAgent": "Mozilla/5.0..."
},
"status": "success"
}Filtering and Searching
Quick Filters
Use the filter bar to narrow down logs by common criteria:
- Date Range - Last 24 hours, 7 days, 30 days, or custom range
- User - Filter by specific user or API key
- Action Type - Authentication, data operations, administrative actions
- Status - Success, failure, or both
- Resource - Specific database, collection, or connection
Advanced Query Syntax
For complex filtering, use the advanced search mode with MongoDB-style query syntax:
// Find all failed login attempts in the last 7 days
{
"action": "auth.login.failed",
"timestamp": { "$gte": "2024-02-17T00:00:00Z" }
}// Find all deletions by a specific user
{
"action": { "$regex": "^.*\\.delete$" },
"actor.email": "admin@company.com"
}// Find all actions from suspicious IP range
{
"metadata.ipAddress": { "$regex": "^192\\.168\\.1\\." }
}Save frequently used filters as presets for quick access. Click "Save Filter" after configuring your search criteria.
Exporting Logs
Export Formats
Export audit logs in multiple formats for external analysis:
- CSV - For spreadsheet analysis in Excel or Google Sheets
- JSON - For programmatic processing and SIEM integration
- PDF - For compliance documentation and reporting
Apply filters to select the logs you want to export.
Click the Export button in the top right corner.
Choose your desired format (CSV, JSON, or PDF).
Optionally configure export settings:
- Include/exclude specific fields
- Add custom header or footer (PDF only)
- Set compression for large exports
Click Generate Export. Large exports are processed in the background and delivered via email.
Automated Exports
Schedule regular audit log exports for compliance archival:
// Example: Daily export configuration
{
"frequency": "daily",
"time": "03:00 UTC",
"format": "json",
"filter": {
"timestamp": { "$gte": "yesterday" }
},
"destination": {
"type": "s3",
"bucket": "company-audit-logs",
"path": "/mongodash/{{year}}/{{month}}/{{day}}.json.gz"
}
}Exported audit logs may contain sensitive information. Ensure exports are stored securely and access is restricted appropriately.
Retention Policies
Default Retention
Enterprise plans include:
- Standard retention: 90 days of audit logs
- Extended retention: Up to 7 years for compliance requirements
- Archival options: Long-term cold storage with on-demand retrieval
Configuring Retention
Go to Audit & Compliance > Retention Settings.
Set your retention period (90 days, 1 year, 2 years, 5 years, or 7 years).
Configure archival storage (optional):
- Enable cold storage archival
- Set archival threshold (e.g., after 90 days)
- Configure retrieval options
Click Save Retention Policy to apply changes.
Compliance Considerations
Retention periods for common compliance frameworks:
| Framework | Minimum Retention | Recommended |
|---|---|---|
| SOC 2 | 1 year | 2 years |
| GDPR | 30 days | 90 days |
| HIPAA | 6 years | 7 years |
| PCI DSS | 1 year | 3 years |
Consult with your compliance team to determine appropriate retention periods for your organization's requirements.
Real-Time Monitoring
Audit Log Streaming
Stream audit logs to external SIEM systems for real-time monitoring:
Supported integrations:
- Splunk
- Datadog
- Sumo Logic
- Elastic Stack
- AWS CloudWatch
Configure streaming in Audit & Compliance > Integrations.
Alert Rules
Create alerts for suspicious activities:
// Example: Alert on multiple failed login attempts
{
"name": "Multiple Failed Logins",
"condition": {
"action": "auth.login.failed",
"count": { "$gte": 5 },
"timeWindow": "5 minutes",
"groupBy": "actor.email"
},
"notification": {
"channels": ["email", "slack"],
"recipients": ["security@company.com"],
"severity": "high"
}
}API Access
Access audit logs programmatically via the REST API:
# Fetch recent audit logs
curl -X GET https://api.mongodash.com/v1/audit-logs \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"filter": {
"timestamp": { "$gte": "2024-02-20T00:00:00Z" }
},
"limit": 100,
"sort": { "timestamp": -1 }
}'# Export audit logs
curl -X POST https://api.mongodash.com/v1/audit-logs/export \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"format": "json",
"filter": {
"action": { "$regex": "^collection\\." }
},
"destination": {
"type": "email",
"email": "admin@company.com"
}
}'Use API access for automated compliance reporting and integration with existing security workflows.
Best Practices
Security Monitoring
- Review regularly - Check audit logs weekly for unusual patterns
- Set up alerts - Configure real-time alerts for critical events
- Investigate anomalies - Follow up on suspicious IP addresses or unusual access patterns
- Document procedures - Maintain runbooks for incident response
Compliance Audits
- Establish baselines - Document normal activity patterns
- Automate reporting - Schedule regular compliance report generation
- Maintain evidence - Export and archive logs according to compliance requirements
- Test retrieval - Periodically verify archived logs are accessible
Performance Optimization
- Use specific filters - Narrow queries to reduce processing time
- Archive old logs - Move historical data to cold storage
- Batch exports - Schedule large exports during off-peak hours
- Limit retention - Only retain what's required for compliance
Troubleshooting
Missing Log Entries
If expected log entries are missing:
- Verify the action occurred within your retention period
- Check that audit logging is enabled for the resource type
- Ensure your user role has permission to view audit logs
- Contact support if logs are missing for recent activities
Slow Search Performance
To improve search performance:
- Use narrower date ranges
- Add specific filters (user, action type, resource)
- Avoid broad regex patterns when possible
- Consider exporting and analyzing locally for complex queries
What's Next?
- Compliance Reports - Generate SOC 2, GDPR, and HIPAA reports
- Data Retention - Configure data lifecycle policies
- API Integration - Automate audit log analysis