DOCSP-13233 Improved auditing coverage

Author: jason-price-mongodb

source/core/auditing.txt

@@ -26,6 +26,8 @@ file, or a BSON file. To enable auditing for MongoDB Enterprise, see
 
 For information on the audit log messages, see :doc:`/reference/audit-message`.
 
+.. _auditing-audit-events-and-filter:
+
 Audit Events and Filter
 -----------------------
 
@@ -36,6 +38,14 @@ Once enabled, the auditing system can record the following operations [#transact
 - authentication and authorization, and
 - CRUD operations (requires :parameter:`auditAuthorizationSuccess` set to ``true``).
 
+.. note::
+
+   Starting in MongoDB 5.0, :term:`secondaries <secondary>` do not log
+   DDL audit events for replicated changes. DDL audit events are still
+   logged for DDL operations that modify the :ref:`local database
+   <replica-set-local-database>` and the :data:`system.profile
+   <<database>.system.profile>` collection.
+
 For details on audited actions, see :ref:`audit-action-details-results`.
 
 With the auditing system, you can :ref:`set up filters <audit-filter>` to restrict the

source/includes/audit-local-remote.rst

@@ -0,0 +1,10 @@
+Starting in MongoDB 5.0, can alternatively be a document with one of
+these fields:
+
+- ``isSystemUser`` that indicates whether the user who
+  caused the event was a system user. Logged for self-referential jobs
+  initiated by a background process that runs on the same server
+  instance.
+
+- ``unix`` that contains the MongoDB socket file path if the client
+  connects through a Unix domain socket.

source/includes/collection-audit-event.rst

@@ -0,0 +1,8 @@
+Starting in MongoDB 5.0, this additional information is logged for a
+view:
+
+- ``viewOn`` field with the database and collection for the view.
+
+- ``pipeline`` field with the
+  :doc:`aggregation pipeline </core/aggregation-pipeline>` definition
+  for the view.