MongoDB Integration

adem_netsys · ‎07-08-2024

Hi,

Has anyone done SIEM integration with mongoDB before, does SIEM support this?

kcanalichio · ‎07-08-2024

Never heard on mangodb, however if you are referring to mongodb here is a quick parser I put together for it.

<eventFormatRecognizer><![CDATA[<:gPatSyslogPRI><:gPatMon>\s+<:gPatDay>\s+<:gPatTime>\s+.*mongod(?:\[\d+\]\:)|.*mongod\:]]></eventFormatRecognizer><parsingInstructions><switch><case><collectFieldsByRegex src="$_rawmsg"><regex><![CDATA[<:gPatSyslogPRI><_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>\s+<hostName:gPatStr>\s+mongod\[<_pid:gPatStr>\]: <_body:gPatMesgBody>]]></regex></collectFieldsByRegex><setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute></case><case><collectFieldsByRegex src="$_rawmsg"><regex><![CDATA[<:gPatSyslogPRI><_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>\s+<hostIp:gPatIpAddr>\s+mongod\[<_pid:gPatStr>\]: <_body:gPatMesgBody>]]></regex></collectFieldsByRegex><setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute></case><case><collectFieldsByRegex src="$_rawmsg"><regex><![CDATA[<:gPatSyslogPRI><_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>\s+<hostName:gPatStr>\s+mongod: <_body:gPatMesgBody>]]></regex></collectFieldsByRegex><setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute></case><case><collectFieldsByRegex src="$_rawmsg"><regex><![CDATA[<:gPatSyslogPRI><_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>\s+<hostIp:gPatIpAddr>\s+mongod: <_body:gPatMesgBody>]]></regex></collectFieldsByRegex><setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute></case></switch><collectAndSetAttrByJSON src="$_body"><attrKeyMap attr="type" key="c"/><attrKeyMap attr="_type" key="s"/><attrKeyMap attr="timeGrain" key="t.$date"/><attrKeyMap attr="id" key="id"/><attrKeyMap attr="categoryType" key="ctx"/><attrKeyMap attr="msg" key="msg"/><attrKeyMap attr="usrMsg" key="attr.message"/></collectAndSetAttrByJSON><setEventAttribute attr="eventType">combineMsgId("mongod", "_", $_type, "_", $type)</setEventAttribute><when test="$eventType IN 'mongod_I_STORAGE'"><collectFieldsByRegex src="$usrMsg"><regex><![CDATA[.* snapshot min: <fsCapacitySnapshotLower:gPatInt>]]></regex></collectFieldsByRegex><collectFieldsByRegex src="$usrMsg"><regex><![CDATA[.* snapshot max: <fsCapacitySnapshotUpper:gPatInt>]]></regex></collectFieldsByRegex><collectFieldsByRegex src="$usrMsg"><regex><![CDATA[.* snapshot count: <totalSnapshot:gPatInt>]]></regex></collectFieldsByRegex></when><setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute><setEventAttribute attr="eventAction">0</setEventAttribute><choose><when test="$_type IN 'E,ERROR,error,Error'"><setEventAttribute attr="eventSeverity">9</setEventAttribute></when><when test="$_type IN 'W,WARN,Warn,warn,WARNING,Warning,warning'"><setEventAttribute attr="eventSeverity">5</setEventAttribute></when><when test="$_type IN 'N,NOTICE,Notice,notice'"><setEventAttribute attr="eventSeverity">2</setEventAttribute></when><when test="$_type IN 'I,INFO,Info,info'"><setEventAttribute attr="eventSeverity">1</setEventAttribute></when></choose><when test="exist srcName"><setEventAttribute attr="hostName">$srcName</setEventAttribute></when></parsingInstructions>

adem_netsys · ‎07-08-2024

Thanks for the correction, I didn't realise it was a keyboard error :)

kcanalichio · ‎07-08-2024

Mongodb is not handled out of the box. But the parser I have above will handle the messages in the mongodb log files. You need to update the mongodb.conf file to send those logs to syslog and have syslog send them to the seim. Then feel free to modify the parser and create any reports you need from there

adem_netsys · ‎07-08-2024

Thank you for your reply. I will try this and share the latest status

MongoDB Integration

Nominate a Forum Post for Knowledge Article Creation