Hi,
Has anyone done SIEM integration with mongoDB before, does SIEM support this?
Never heard on mangodb, however if you are referring to mongodb here is a quick parser I put together for it.
<eventFormatRecognizer><![CDATA[<:gPatSyslogPRI><:gPatMon>\s+<:gPatDay>\s+<:gPatTime>\s+.*mongod(?:\[\d+\]\:)|.*mongod\:]]></eventFormatRecognizer><parsingInstructions><switch><case><collectFieldsByRegex src="$_rawmsg"><regex><![CDATA[<:gPatSyslogPRI><_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>\s+<hostName:gPatStr>\s+mongod\[<_pid:gPatStr>\]: <_body:gPatMesgBody>]]></regex></collectFieldsByRegex><setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute></case><case><collectFieldsByRegex src="$_rawmsg"><regex><![CDATA[<:gPatSyslogPRI><_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>\s+<hostIp:gPatIpAddr>\s+mongod\[<_pid:gPatStr>\]: <_body:gPatMesgBody>]]></regex></collectFieldsByRegex><setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute></case><case><collectFieldsByRegex src="$_rawmsg"><regex><![CDATA[<:gPatSyslogPRI><_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>\s+<hostName:gPatStr>\s+mongod: <_body:gPatMesgBody>]]></regex></collectFieldsByRegex><setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute></case><case><collectFieldsByRegex src="$_rawmsg"><regex><![CDATA[<:gPatSyslogPRI><_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>\s+<hostIp:gPatIpAddr>\s+mongod: <_body:gPatMesgBody>]]></regex></collectFieldsByRegex><setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute></case></switch><collectAndSetAttrByJSON src="$_body"><attrKeyMap attr="type" key="c"/><attrKeyMap attr="_type" key="s"/><attrKeyMap attr="timeGrain" key="t.$date"/><attrKeyMap attr="id" key="id"/><attrKeyMap attr="categoryType" key="ctx"/><attrKeyMap attr="msg" key="msg"/><attrKeyMap attr="usrMsg" key="attr.message"/></collectAndSetAttrByJSON><setEventAttribute attr="eventType">combineMsgId("mongod", "_", $_type, "_", $type)</setEventAttribute><when test="$eventType IN 'mongod_I_STORAGE'"><collectFieldsByRegex src="$usrMsg"><regex><![CDATA[.* snapshot min: <fsCapacitySnapshotLower:gPatInt>]]></regex></collectFieldsByRegex><collectFieldsByRegex src="$usrMsg"><regex><![CDATA[.* snapshot max: <fsCapacitySnapshotUpper:gPatInt>]]></regex></collectFieldsByRegex><collectFieldsByRegex src="$usrMsg"><regex><![CDATA[.* snapshot count: <totalSnapshot:gPatInt>]]></regex></collectFieldsByRegex></when><setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute><setEventAttribute attr="eventAction">0</setEventAttribute><choose><when test="$_type IN 'E,ERROR,error,Error'"><setEventAttribute attr="eventSeverity">9</setEventAttribute></when><when test="$_type IN 'W,WARN,Warn,warn,WARNING,Warning,warning'"><setEventAttribute attr="eventSeverity">5</setEventAttribute></when><when test="$_type IN 'N,NOTICE,Notice,notice'"><setEventAttribute attr="eventSeverity">2</setEventAttribute></when><when test="$_type IN 'I,INFO,Info,info'"><setEventAttribute attr="eventSeverity">1</setEventAttribute></when></choose><when test="exist srcName"><setEventAttribute attr="hostName">$srcName</setEventAttribute></when></parsingInstructions>
Thanks for the correction, I didn't realise it was a keyboard error :)
Mongodb is not handled out of the box. But the parser I have above will handle the messages in the mongodb log files. You need to update the mongodb.conf file to send those logs to syslog and have syslog send them to the seim. Then feel free to modify the parser and create any reports you need from there
Thank you for your reply. I will try this and share the latest status
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.