mongodb-logs Log Parser

« mongodb-logs »
v0.1 by timokoessler
Log parser

Parse MongoDB logs

Installation

cscli parsers install timokoessler/mongodb-logs

Description

This is a parser for MongoDB logs. MongoDB version 4.4 or higher is required.

Example acquisition for a docker container:

---
source: docker
container_name:
 - my_container_name
labels:
  type: mongodb

or for a log file:

---
filenames:
 - /var/log/mongodb/mongodb.log
labels:
  type: mongodb

Depending on your installation method, paths to log files might change.

YAML Configuration

1onsuccess: next_stage
2filter: "Upper(evt.Parsed.program) == 'MONGODB'"
3name: timokoessler/mongodb-logs
4description: "Parse MongoDB logs"
5nodes:
6  - filter: |
7     JsonExtract(evt.Parsed.message, "c") == 'ACCESS' &&
8     JsonExtract(evt.Parsed.message, "msg") == 'Authentication failed'
9    statics:
10      - meta: log_type
11        value: "mongodb_failed_auth"
12    grok:
13      pattern: '%{IPORHOST:remote_addr}'
14      expression: JsonExtract(evt.Parsed.message, "attr.remote")
15
16statics:
17  - meta: service
18    value: mongodb
19  - meta: source_ip
20    expression: "evt.Parsed.remote_addr"
21  - parsed: timestamp
22    expression: JsonExtract(evt.Parsed.message, "t.$date")
23  - target: evt.StrTime
24    expression: "evt.Parsed.timestamp"
25  - meta: username
26    expression: JsonExtract(evt.Parsed.message, "attr.principalName")
27  - meta: authentication_database
28    expression: JsonExtract(evt.Parsed.message, "attr.authenticationDatabase")

Hub configuration

« mongodb-logs »v0.1 by timokoesslerLog parser

« mongodb-logs »
v0.1 by timokoessler
Log parser