Database Monitoring for Amazon DocumentDB

Atatus Database Monitoring provides deep visibility into your Amazon DocumentDB (with MongoDB compatibility) databases by collecting key metrics, operation samples, explain plans, and replication state changes.

To enable Database Monitoring, the Agent gathers telemetry by connecting to your DocumentDB instances as a read-only user. Follow these steps to get started:

Setup Database Access for the Agent
Configure Atatus Infrastructure Agent

Before You Begin

Component	Supported Versions
Amazon DocumentDB	4.0.0, 5.0.0
Amazon DocumentDB Cluster Types	Instance-based clusters
Atatus Infra Agent	4.1.0 or higher

Note:

Amazon DocumentDB Elastic Clusters are not supported.

Direct Connection Requirement

The Atatus Infra Agent must connect directly to each DocumentDB instance being monitored. Do not use connection strings or SRV endpoints, as automatic failover or load balancing can route the Agent to a different host, resulting in inaccurate metrics.

Setup Database Access for the Agent

The Atatus Infra Agent requires read-only access to collect statistics and queries from your Amazon DocumentDB instances.

Connect to the primary node of your DocumentDB cluster using the Mongo shell and authenticate as the admin user:

copy
```
use admin
db.auth("admin", "<YOUR_AMAZON_DOCUMENTDB_ADMIN_PASSWORD>")
```

Create a read-only monitoring user for the Atatus Infra Agent:

copy

db.createUser({
  "user": "atatus",
  "pwd": "<STRONG_PASSWORD>",
  "roles": [
    { role: "read", db: "admin" },
    { role: "read", db: "local" },
    { role: "clusterMonitor", db: "admin" }
  ]
})

Grant read access to specific databases you want to monitor (Optional):

copy
```
db.grantRolesToUser("atatus", [
  { role: "read", db: "<DB_NAME>" }
])
```
Alternatively, to monitor all databases, grant the readAnyDatabase role:

copy
```
db.grantRolesToUser("atatus", [
  { role: "readAnyDatabase", db: "admin" }
])
```

Configure Atatus Infrastructure Agent

To enable Database Monitoring for your databases, install the Atatus Infrastructure Agent on a host that has network access to your Amazon DocumentDB instances. This can be a Linux host, a Docker container, or a Kubernetes pod.

Note:

The Agent must connect consistently to the same DocumentDB host. Avoid connecting through load balancers, proxies, or rotating endpoints.
Copy the MongoDB example configuration file:

copy
```
cd /etc/atatus-infra-agent/conf.d/mongodb.d/
sudo cp mongodb.yml.template mongodb.yml
```

Update the MongoDB configuration file.

Add the following configuration to /etc/atatus-infra-agent/conf.d/mongodb.d/mongodb.yml.

Single Instance:

copy

metrics:
  - hosts:
      - <HOST>:<PORT>
    username: atatus
    password: <REPLACE_PASSWORD>
    connection_scheme: "mongodb"
    db_name: "admin"
    options:
      connectTimeoutMS: 3000
      serverSelectionTimeoutMS: 2000
    tls: true
    tls_ca_file: <CERT_FILE_PATH>
    dbm: true
    cluster_name: <CLUSTER_NAME>

Replica Set (1 Primary + 2 Secondaries):

copy

metrics:
  - hosts:
      - <HOST_REPLICA_1>:<PORT>   # Primary node
    username: atatus
    password: <REPLACE_PASSWORD>
    connection_scheme: "mongodb"
    db_name: "admin"
    options:
      connectTimeoutMS: 3000
      serverSelectionTimeoutMS: 2000
    tls: true
    tls_ca_file: <CERT_FILE_PATH>
    dbm: true
    cluster_name: <CLUSTER_NAME>

  - hosts:
      - <HOST_REPLICA_2>:<PORT>   # Secondary node
    username: atatus
    password: <REPLACE_PASSWORD>
    connection_scheme: "mongodb"
    db_name: "admin"
    options:
      connectTimeoutMS: 3000
      serverSelectionTimeoutMS: 2000
    tls: true
    tls_ca_file: <CERT_FILE_PATH>
    dbm: true
    cluster_name: <CLUSTER_NAME>

  - hosts:
      - <HOST_REPLICA_3>:<PORT>   # Secondary node
    username: atatus
    password: <REPLACE_PASSWORD>
    connection_scheme: "mongodb"
    db_name: "admin"
    options:
      connectTimeoutMS: 3000
      serverSelectionTimeoutMS: 2000
    tls: true
    tls_ca_file: <CERT_FILE_PATH>
    dbm: true
    cluster_name: <CLUSTER_NAME>

Note:

Amazon DocumentDB requires TLS. Ensure tls: true is set and provide the CA certificate path via tls_ca_file. Download the Amazon DocumentDB CA certificate from the AWS documentation.

Placeholder	Replace With
`<HOST>` / `<HOST_REPLICA_*>`	Your DocumentDB instance endpoint(s)
`<PORT>`	Port number (default: `27017`)
`<REPLACE_PASSWORD>`	Password created for the `atatus` user
`<CERT_FILE_PATH>`	Path to the downloaded CA certificate file
`<CLUSTER_NAME>`	A descriptive name for your DocumentDB cluster

Restart the Atatus Infrastructure Agent:

copy
```
sudo service atatus-infra-agent restart
```

Once verified, navigate to the Database Monitoring page in Atatus to view your Amazon DocumentDB performance data.