MongoDB audit logging
for GDPR compliance
Answer
MongoDB Community Edition has no per-operation audit logging — zero. Individual find, insert, update, and delete operations are not logged at all. Audit logging requires MongoDB Enterprise Advanced (commercial) or MongoDB Atlas M10+. Even with Enterprise auditLog, the log file is not structurally tamper-evident, and the log shows MongoDB users rather than human identities if shared accounts are used.
MongoDB Community Edition and GDPR
If your production MongoDB runs Community Edition, you have no audit trail. You cannot tell a supervisory authority which documents were read, by whom, or when. This is a structural GDPR Article 32 gap — not a configuration gap. It cannot be fixed without upgrading to Enterprise or using an external access layer.
MongoDB Community Edition logs these events: server startup and shutdown, connection open and close (with client IP), authentication success and failure, and index build events. It does not log any data access events — no reads, no writes, no deletes.
Community logs
- ✓Server startup/shutdown
- ✓Connection open/close
- ✓Authentication events
- ✓Index builds
Community does NOT log
- ✗find operations
- ✗insert / update / delete
- ✗Aggregation pipeline queries
- ✗GridFS operations
MongoDB Enterprise auditLog configuration
MongoDB Enterprise provides auditLog — a configurable per-operation audit mechanism with filter support and JSON output.
mongod.conf configuration
# mongod.conf (MongoDB Enterprise only) auditLog: destination: file format: JSON path: /var/log/mongodb/audit.json # Filter to data access operations only filter: '{ atype: { $in: ["find","insert","update","delete","aggregate"] } }'
Audit log entry — find operation
Find operations are logged with atype: "authCheck" — not atype: "find". The command is in param.command:
{
"atype": "authCheck",
// authCheck = command authorization event (reads, writes, etc.)
"ts": { "$date": "2024-01-15T14:23:47.000+00:00" },
"local": { "ip": "127.0.0.1", "port": 27017 },
"remote": { "ip": "10.0.1.5", "port": 52341 },
"users": [
// MongoDB user — NOT the human operator if shared
{ "user": "app_user", "db": "admin" }
],
"roles": [{ "role": "readWrite", "db": "production" }],
"param": {
"command": "find",
"ns": "production.users",
"args": {
"find": "users",
"filter": { "id": 4892 }
}
},
"result": 0
}Per-user filter
# Audit only specific users and data access operations auditLog: filter: '{ $and: [ { "users.user": { $in: ["engineer_alice","engineer_bob"] } }, { atype: { $in: ["find","insert","update","delete"] } } ] }'
MongoDB Atlas audit logging
MongoDB Atlas enables auditLog on M10+ clusters. Configuration is project-level — all clusters in the project share the audit filter configuration. Atlas-specific considerations for GDPR:
30 days (fixed). Not configurable. Export regularly to your own EU-resident storage for long-term GDPR evidence.
Atlas-managed, not in your own infrastructure. You cannot verify tamper-evidence or storage location below the Atlas abstraction layer.
Selecting an EU region for your cluster does not guarantee that Atlas management-plane data — including audit logs — stays in the EU. Review the MongoDB Data Processing Agreement.
Logs are downloadable via Atlas API or UI. Automate exports to your own EU-resident storage for GDPR compliance evidence.
MongoDB audit logging — frequently asked questions
Does MongoDB Community Edition support audit logging?
No. MongoDB Community Edition does not include any per-operation audit logging capability. It logs server events (startup, shutdown, connection open/close) but does not log individual find, insert, update, or delete operations. To audit database operations in MongoDB, you need MongoDB Enterprise Advanced (commercial license) or MongoDB Atlas M10+ cluster (managed service with auditing enabled). This is the most significant GDPR compliance gap in the MongoDB ecosystem — the majority of self-hosted MongoDB deployments run Community Edition and have no audit trail at all.
What does the MongoDB Enterprise auditLog format look like?
MongoDB Enterprise auditLog outputs JSON documents. Find (read) operations are logged with atype: "authCheck" — not atype: "find". An example: {"atype":"authCheck","ts":{"$date":"2024-01-15T14:23:47.000+00:00"},"local":{"ip":"127.0.0.1","port":27017},"remote":{"ip":"10.0.1.5","port":52341},"users":[{"user":"app_user","db":"admin"}],"roles":[{"role":"readWrite","db":"production"}],"param":{"command":"find","ns":"production.users","args":{"find":"users","filter":{"id":4892}}},"result":0}. The users array shows the authenticated MongoDB user — not the human operator if a shared account is in use.
How do I enable auditLog in MongoDB Enterprise?
Start mongod with --auditDestination and --auditFormat flags, or set them in mongod.conf. Example: auditLog: { destination: file, format: JSON, path: /var/log/mongodb/audit.json }. To filter specific operation types: auditLog: { filter: '{ atype: { $in: ["find","insert","update","delete"] } }' }. To filter by user: auditLog: { filter: '{ "users.user": { $in: ["engineer_alice","engineer_bob"] } }' }. A mongod restart is required to change auditLog configuration.
Does MongoDB Atlas include audit logging?
MongoDB Atlas includes audit logging on M10 and larger clusters. It is not available on M0 (free tier), M2, or M5 clusters. Atlas audit logging is configured per project and supports the same filter syntax as MongoDB Enterprise auditLog. Atlas stores audit logs in Atlas-managed storage with configurable retention (7 to 90 days). Logs are downloadable via the Atlas API or UI. Atlas does not write audit logs to your own storage — you must pull them via API for GDPR DSR responses. Atlas infrastructure is hosted on AWS, GCP, or Azure depending on your region selection; EU region selection does not guarantee EU-only data processing at the platform level.
Is MongoDB auditLog tamper-evident for GDPR purposes?
No. MongoDB Enterprise auditLog writes to a file on the MongoDB server filesystem (or syslog). A system administrator with filesystem access can modify or delete the file. MongoDB does not provide an INSERT-only or append-only storage guarantee for audit logs. MongoDB Atlas log storage is managed by MongoDB Inc. — you do not control the storage backend and cannot verify it is tamper-evident. For GDPR Article 32, a tamper-evident audit trail requires structural guarantees, not contractual ones. An INSERT-only database table with DELETE and UPDATE revoked at the database level provides structural tamper evidence; a log file does not.
Audit your MongoDB access without Enterprise licensing
Scalple provides human-attributed, INSERT-only audit logging for MongoDB operations — on Community Edition, without auditLog. Deploy on your EU infrastructure.