cscli parsers install timokoessler/mongodb-logs
This is a parser for MongoDB logs. MongoDB version 4.4 or higher is required.
Example acquisition for a docker container:
---
source: docker
container_name:
- my_container_name
labels:
type: mongodb
or for a log file:
---
filenames:
- /var/log/mongodb/mongodb.log
labels:
type: mongodb
Depending on your installation method, paths to log files might change.
1onsuccess: next_stage2filter: "Upper(evt.Parsed.program) == 'MONGODB'"3name: timokoessler/mongodb-logs4description: "Parse MongoDB logs"5nodes:6 - filter: |7 JsonExtract(evt.Parsed.message, "c") == 'ACCESS' &&8 JsonExtract(evt.Parsed.message, "msg") == 'Authentication failed'9 statics:10 - meta: log_type11 value: "mongodb_failed_auth"12 grok:13 pattern: '%{IPORHOST:remote_addr}'14 expression: JsonExtract(evt.Parsed.message, "attr.remote")1516statics:17 - meta: service18 value: mongodb19 - meta: source_ip20 expression: "evt.Parsed.remote_addr"21 - parsed: timestamp22 expression: JsonExtract(evt.Parsed.message, "t.$date")23 - target: evt.StrTime24 expression: "evt.Parsed.timestamp"25 - meta: username26 expression: JsonExtract(evt.Parsed.message, "attr.principalName")27 - meta: authentication_database28 expression: JsonExtract(evt.Parsed.message, "attr.authenticationDatabase")