Skip to main content
Sumo Logic

Collect Logs for MongoDB

This procedure documents how to collect logs from MongoDB into Sumo Logic.The Sumo Logic App for MongoDB provides insight into your MongoDB environment, allowing you to track overall system health, queries, logins and connections, errors and warnings, replication, and sharding.

Log Types

The Sumo Logic App for MongoDB ingests MongoDB logs using an installed collector and a local file source. 

MongoDB logs include the severity level and the component associated with each log message. 

For complete details, see the MongoDB documentation. For more information on MongoDB log parsing, consult MongoDB Log Spec.

Configure a Collector

Configure an Installed Collector on your MongoDB server.

Configure a Source

  1. Configure a Local File Source for each server instance. For example, if you are running Replicas, Shards, or Arbiters, each will need its own Local File Source. Configure a separate Source Host for each Source.
  2. Configure the Source fields:
    1. Name. (Required) A name is required. Description is optional.
    2. Source Category. (Required) For example, mongo/serverA, mongo/serverB. With this naming convention, you can use _sourceCategory=mongo* as the custom data filter in the MongoDB app to collect all logs. For more information, see Best Practices.
  3. Configure the Advanced section:
    1. Enable Timestamp Parsing. True
    2. Time Zone. Make sure to set it to (UTC) Etc/UTC
    3. Timestamp Format. Auto Detect
  4. Click Save.

Field Extraction Rules

Use the scope _sourceCategory=mongo* to collect all MongoDB logs.

MongoDB

parse "* * *  [*] *" as timestamp,severity,component,context,msg

Sample Log Message

2014-11-03T18:28:32.450-0500 I NETWORK [initandlisten] waiting for connections on port 27017

Query Samples

Messages by components

| parse "* * * [*] *" as timestamp,severity,component,context,msg 
| count by component

Failed login attempts

"authentication failed" 
| parse "* * * [*] *" as timestamp,severity,component,context,msg 
| parse regex field=msg  "authentication failed for (?<user>[\S]+) on (?<database>[\S]+) from client (?<client_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}) ; (?<reason>[\s\S]+)" 
| count by timestamp, user, database, client_ip, reason
| fields - _count