阿里云上的一个Mongo数据库,希望搞清楚,是否有,是否已开启,登录日志的功能。
目的是希望清楚哪些Mongo的用户何时登录了系统。
mongo 登录日志
【Monogdb】MongoDB的日志系统 – CSDN博客
通过 MongoDB 日志信息定位操作来源 | 一张假钞的真实世界
好像可以通过查:
connection accepted from
找到谁的IP 何时连接了系统?
1. MongoDB登陆 – 纸上得来终觉浅 绝知此事要躬行——https://github.com/sgq0085/learn – ITeye博客
MongoDB如何开启权限认证 · Issue #31 · webplus/blog
mongo user login log
Mongodb how to show user login history – Database Administrators Stack Exchange
Mongo支持记录用户登录历史,功能叫做:Auditing审计
不过是Enterprise企业版才支持
免费版本的话,暂时只能从log日志中找:
<code>2017-06-28T11:38:50.866-0700 I ACCESS [conn75] Successfully authenticated as principal mydbuser on mydb </code>
之类的log日志去推断用户登录信息。
“ACCESS
Messages related to access control, such as authentication. To specify the log level for ACCESS components, use the systemLog.component.accessControl.verbosity setting.”
MongoDB logging and authentication – Stack Overflow
据说是:
及时登录了,但是需要有其他的(Mongo 的,读写等)数据库的操作,才会有ACCESS方面的log,否则只是登录没有操作,没有ACCESS的log的?
先去Mac本地用终端连接远程服务器中mongo:
<code>➜ ~ mongo gridfs --host ip --port port -u gridfs -p pwd --authenticationDatabase gridfs
MongoDB shell version v3.6.3
connecting to: mongodb://ip:port/gridfs
MongoDB server version: 3.2.19
WARNING: shell and server versions do not match
> db.fs.files.findOne()
{
"_id" : ObjectId("5b21c7837f4d384d04535f90"),
"contentType" : "audio/mpeg",
"chunkSize" : 261120,
"metadata" : {
...
</code>也有read操作了
然后再去看看其中log中是否有相关ACCESS的log,或者是否有其他相关的log
先要找到服务器中mongo的日志文件在哪里
<code>[root@xxx-general-01 web]# ps -ef|grep mongo
mongod 1188 1 0 May14 ? 06:34:29 /usr/bin/mongod -f /etc/mongod.conf
root 9275 8916 0 14:15 pts/1 00:00:00 grep --color=auto mongo
[root@xx-general-01 web]# more /etc/mongod.conf
...
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
...
[root@xx-general-01 web]# tail -n 30 /var/log/mongodb/mongod.log
...
2018-07-19T14:10:56.808+0800 I NETWORK [initandlisten] connection accepted from 222.92.130.218:52187 #2785 (23 connections now open)
2018-07-19T14:10:56.936+0800 I COMMAND [conn2785] command admin.$cmd command: whatsmyuri { whatsmyuri: 1 } keyUpdates:0 writeConflicts:0 numYields:0 reslen:52 locks:{} protocol:op_command 108ms
2018-07-19T14:10:57.032+0800 I ACCESS [conn2785] Successfully authenticated as principal gridfs on gridfs
2018-07-19T14:10:57.049+0800 I ACCESS [conn2785] Unauthorized: not authorized on admin to execute command { getLog: "startupWarnings" }
2018-07-19T14:10:57.118+0800 I ACCESS [conn2785] Unauthorized: not authorized on admin to execute command { replSetGetStatus: 1.0, forShell: 1.0 }
2018-07-19T14:11:01.218+0800 I ACCESS [conn2785] Unauthorized: not authorized on admin to execute command { listDatabases: 1.0 }
[root@xx-general-01 web]#
</code>其中:
<code>connection accepted from ip:52187 #2785 (23 connections now open) </code>
就是表示登录的时间点和登录的人的IP。
而想要查最近一段时间的log中的登录日志,可以考虑用最近多少行(比如1000行)的日志中去找:
<code>[root@xx-general-01 web]# tail -n 1000 /var/log/mongodb/mongod.log | grep "connection accepted from" ... 2018-07-03T10:21:13.516+0800 I NETWORK [initandlisten] connection accepted from 222.92.130.218:52804 #2304 (22 connections now open) ... 2018-07-03T12:01:18.500+0800 I NETWORK [initandlisten] connection accepted from 127.0.0.1:46752 #2337 (19 connections now open) ... 2018-07-19T10:59:26.804+0800 I NETWORK [initandlisten] connection accepted from 222.92.130.218:61427 #2783 (21 connections now open) 2018-07-19T10:59:29.295+0800 I NETWORK [initandlisten] connection accepted from 222.92.130.218:61444 #2784 (22 connections now open) 2018-07-19T14:10:56.808+0800 I NETWORK [initandlisten] connection accepted from 222.92.130.218:52187 #2785 (23 connections now open) </code>
【总结】
Mongo分免费版和Enterprise企业版:
关于记录用户登录的日志的功能叫Auditing:
免费版:没有
企业版:才有
免费版的Mongo想要查找用户登录地址,可以自己从日志文件中找相关信息。
注:
如果不知道日志文件在哪,可以从:
<code>ps -ef|grep mongo mongod 1188 1 0 May14 ? 06:34:29 /usr/bin/mongod -f /etc/mongod.conf </code>
而找到配置文件,然后从配置文件中找log日志文件位置:
<code>more /etc/mongod.conf ... # where to write logging data. systemLog: destination: file logAppend: true path: /var/log/mongodb/mongod.log ... </code>
从日志文件中用:
<code>tail -n 1000 /var/log/mongodb/mongod.log | grep "connection accepted from" </code>
搜类似于:
<code>I NETWORK [initandlisten] connection accepted from 222.x.x.x:52187 </code>
的内容,其中:
I:表示input,从外网访问Mongo所在服务器
NETWORK:表示网络请求
initandlisten:init and listen 初始化并监听
connection accepted from:接受了来自外部的请求
222.x.x.x:52187:很明显就是我们要找的,登录mongo的用户的IP地址(和端口)了
而从IP地址,借用:
显示查询自己的IP地址
http://ip111.cn
即可查到自己的IP地址,就是上面的:
国内网站:222.x.x.x China / Nanjing
另外,想要确认是用(Mongo中的)哪个账号去的登录的,可以用:
<code>[root@xxx-general-01 web]# tail -n 50 /var/log/mongodb/mongod.log | grep "Successfully authenticated as" 2018-07-19T14:10:57.032+0800 I ACCESS [conn2785] Successfully authenticated as principal gridfs on gridfs 2018-07-19T14:28:39.265+0800 I ACCESS [conn2787] Successfully authenticated as principal root on admin </code>
而找到是:
gridfs用户
或
root用户