MongoDB installation configuration and opening audit log
Welcome to the More You Know, The More You Don't Know series!
1. Mongo installation tutorial (Linux)
1. Download the installation package
https://www.mongodb.com/download-center/community
2. Upload the installation package
3. Unzip and move
tar -zxvf mongodb-linux-x86_64-4.0.6.tgz
mv ./mongodb-linux-x86_64-4.0.6 /usr/local/mongodb
4. Go to the mongodb folder
cd /usr/local/mongodb/
5. Create db directory and log folder
mkdir -p ./data/db
mkdir -p ./logs
touch ./logs/mongodb.log
6. Create a mongo configuration file
6.1, conf configuration file format:
vim mongodb.conf
#端口号
port=27017
#数据目录
dbpath=/usr/local/mongodb/data/db
#日志目录
logpath=/usr/local/mongodb/logs/mongodb.log
#后台启动
fork=true
#追加日志输出
logappend=true
#允许远程IP连接(所有)
bind_ip=0.0.0.0
6.2, yml configuration file format:
processManagement:
fork: true
net:
bindIp: 127.0.0.1
port: 27017
storage:
dbPath: 数据存放路径/data/db
systemLog:
destination: file
path: log/mongo27017.log
logAppend: true
storage:
journal:
enabled: true
7. Configuration file start
7.1, conf configuration file start:
./bin/mongod --config mongodb.conf
7.2. Start in the form of yml configuration file:
./bin/mongod --config mongodb.yml
8. Connect to mongo
./bin/mongo
2. Problems encountered during installation:
1. An error is reported when the configuration file starts
error while loading shared libraries: libcrypto.so.10: cannot open shared object file: No such file or directory
原因:没有装libcrypto.so.10库
解决方案:安装yum -y install compat-openssl10
2. An error is reported when the configuration file starts
error while loading shared libraries: libnetsnmpmibs.so.35: cannot open shared object file: No such file or directory
原因:没有装net-snmp
解决方案:安装yum install net-snmp
3. Create mongo account
1、Read:允许用户读取指定数据库
2、readWrite:允许用户读写指定数据库
3、dbAdmin:允许用户在指定数据库中执行管理函数,如索引创建、删除,查看统计或访问system.profile
4、userAdmin:允许用户向system.users集合写入,可以找指定数据库里创建、删除和管理用户
5、clusterAdmin:只在admin数据库中可用,赋予用户所有分片和复制集相关函数的管理权限。
6、readAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的读权限
7、readWriteAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的读写权限
8、userAdminAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的userAdmin权限
9、dbAdminAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的dbAdmin权限。
10、root:只在admin数据库中可用。超级账号,超级权限
1) Create an administrator account
-
Switch to the admin database
use admin -
Add account (root: the highest authority for any operation, userAdminAnyDatabase: management user authority)
db.createUser({ user: "root", pwd: "Zz@123456", roles: [{ role: "root", db: "admin" }] }) -
Modify the mongo.conf file and add configuration
auth=true 或者yml格式的加入这个配置 security: authorization: enabled -
Restart the MongoDB service
#停掉服务 kill -9 PID #根据配置文件启动服务 ./bin/mongod --config mongodb.conf -
connect to mongo
./mongo -
Authentication: (unauthenticated view or operation)
use admin db.auth("root","Zz@123456") #返回1,认证成功2) Create a common user
-
Administrator Account Authentication
use admin db.auth("root","Zz@123456") -
Switch to the specified library
use 指定库名 -
Create a common account and give permissions
db.createUser({ user: "user", pwd: "123456", roles: [{ role: "readWrite", db: "test数据库名称" }] })
Note: Created successfully, no need to restart
-
Update role permissions (root highest authority)
db.updateUser("root",{roles : [{"role" : "root","db" : "admin"}]})
4. Enable the mongo audit function
https://blog.csdn.net/zhaoyuqiang/article/details/105361948
1 Overview
In the database security life cycle, including: protection, detection, response and remediation. The core of detection is Audit.
The audit function can be used to record all relevant operations of the user on the database. These records allow system administrators to analyze what happened to the database at what time when needed.
mongodb is divided into community edition and enterprise edition, and only the enterprise edition MongoDB Enterprise has the auditing function.
Mongodb enterprise version download link:
https://www.mongodb.com/try/download/enterprise
When installing the rpm package of mongodb, it will prompt that there is a lack of dependent packages, and you can install the required dependent packages through yum
yum install net-snmp cyrus-sasl cyrus-sasl-plain cyrus-sasl-gssapi
Note: The configuration file is in yml format
auditLog:
destination: 审计展示类型(console窗口展示、syslog系统日志保存、file文件保存。)
format: 在JSON文件或者BSON文件中
path: 保存路径
filter: 日志过滤条件
setParameter: { auditAuthorizationSuccess: true }
# 审计日志设置(此过滤能满足绝大部分的日志记录,减少记录无效日志)
auditLog:
destination: file
format: JSON
path: /usr/local/mongodb/data/auditLog/audit.json
filter: '{ atype:{ $in: ["authCheck","createCollection","createDatabase"] },"param.ns":{$nin:[ "admin.system.version"]},"param.command":{$nin:[ "isMaster","ismaster","saslStart","saslContinue","listCollections","listDatabases","listIndexes","collStats","find","getlasterror","buildinfo","getLastError","aggregate"] } }'
setParameter: { auditAuthorizationSuccess: true }
Note: The log is saved in audit.json, and the log printing status can be viewed online in real time through tail -f audit.json.
5. Log details introduction
Any kind of database has various logs, and MongoDB is no exception. There are four types of logs in MongoDB, namely system logs, Journal logs, oplog master-slave logs, and slow query logs. These logs keep track of different aspects of the MongoDB database. These types of logs are described below.
1. System log
The system log is very important in the MongoDB database. It records the start and stop operations of MongoDB, as well as any abnormal information that occurs during the running of the server.
The method of configuring the system log is relatively simple, just specify the logpath parameter when starting mongod
mongod -logpath=/data/log/mongodb/serverlog.log -logappend
The system log will continue to append to the file specified by logpath.
2. Journal log (open in the general configuration file)
The journaling (diary) log function is a very important function in MongoDB, which ensures the data integrity of the database server in the event of unexpected power outages and natural disasters. It adds additional reliability guarantees to MongoDB through write-ahead redo logs. When this function is enabled, MongoDB will create a Journal log when writing, which contains the disk address and bytes specifically changed by the writing operation. Therefore, once the server suddenly stops, the log can be replayed at startup, so as to re-execute the write operations that were not able to be flushed to the disk before the shutdown
3. oplog master-slave log
Replica Sets are used to back up data between multiple servers. MongoDB's replication function is implemented using the operation log oplog, which contains every write operation of the primary node.
All databases in a mongod instance use the same oplog, that is, the operation logs (insert, delete, modify) of all databases will be recorded in the oplog
4. Slow query log
MongoDB uses the system profiler to find operations that take too long. The system profiler records operations in the fixed collection system.profile and provides a lot of information about operations that take too long, but the overall performance of the corresponding mongod will also decrease. Therefore, we generally open the analyzer periodically to obtain information.
By default, System Analyzer is turned off and no logging is done. You can run db.setProfilingLevel() in the shell to enable the profiler
db.setProfilingLevel(``level``,<slowms>) 0=``off` `1=slow 2=``all
The first parameter is the specified level. Different levels represent different meanings. 0 means off, 1 means the default record operation that takes more than 100 milliseconds, and 2 means record all operations. The second parameter is to customize the "too long time-consuming" standard, such as recording all operations that take 500ms to complete
db.setProfilingLevel(1,500);
If the profiler is enabled and the system.profile collection does not exist, MongoDB will create a capped collection with a size of several MB for it. If you want the analyzer to run longer, you may need more space to record more operations. At this point, you can close the analyzer, delete and re-create a new fixed collection named system.profile, and make its capacity meet the requirements. Then re-enable the analyzer on the database.
You can view the maximum capacity of the collection through db.system.profile.stats().
Summarize
The above is the whole content of this article. I hope that the content of this article has a certain reference value for everyone's study or work.