Skip to main content
Sumo Logic

Collect Logs for MongoDB

This procedure documents how to collect logs from MongoDB into Sumo Logic.The Sumo Logic App for MongoDB provides insight into your MongoDB environment, allowing you to track overall system health, queries, logins and connections, errors and warnings, replication, and sharding.

Log Types

The Sumo Logic App for MongoDB ingests MongoDB logs using an installed collector and a local file source. 

MongoDB logs include the severity level and the component associated with each log message. 

For complete details, see the MongoDB documentation. For more information on MongoDB log parsing, consult MongoDB Log Spec.

Configure a Collector

Configure an Installed Collector on your MongoDB server.

Configure a Source

  1. Configure a Local File Source for each server instance. For example, if you are running Replicas, Shards, or Arbiters, each will need its own local file source.
  2. Configure the source fields:
    1. Name. (Required) A name is required. Description is optional.
    2. Source Host. Configure a separate source host for each source.
    3. Source Category. (Required) For example, mongo/serverA,  mongo/serverB. With this naming convention, you can use _sourceCategory=mongo* as the custom data filter in the MongoDB app to collect all logs. For more information, see Best Practices.
  3. Configure the Advanced section:
    1. Enable Timestamp Parsing. True.
    2. Time Zone. Make sure to set it to (UTC) Etc/UTC.
    3. Timestamp Format. Auto Detect.
  4. Click Save.

Field Extraction Rules

You can use a field extraction rule (FER) to automatically parse your MongoDB logs. To create an FER, go to Manage Data > Settings > Field Extraction Rules. For detailed instructions, see Create a Field Extraction Rule. MongoDB-specific tips follow.

On the Create a Field Extraction Rule page, enter a name for the FER, and then specify:

  • Scope—This defines the logs Sumo will parse. You generally specify Scope in terms of  _sourceCategory. If you used the _sourceCategory convention suggested above in Configure a Source, specify the following scope to parse all MongoDB logs:

    _sourceCategory="mongo*"

    If you configured a different _sourceCategory, use that value, with a wildcard as appropriate.

  • Parse Expression—Enter the following statement:

    parse "* * *  [*] *" as timestamp,severity,component,context,msg

    The statement above parses the timestamp, severity, component, context, and msg fields from MongoDB logs. (See the following section for a sample MongoDB log message.) This allows you to run queries without including a parse statement in the query—Sumo parses the logs according to this rule at ingestion, so you can simply query on those fields.  

Sample Log Message

2014-11-03T18:28:32.450-0500 I NETWORK [initandlisten] waiting for connections on port 27017

Query Samples

The two sample queries below assume that you have set up the FER described  above in Field Extraction Rules. If you have not defined the FER, in each of the queries you must include a parse statement like the following, after the _sourceCategory="mongo*" line: 

| parse "* * * [*] *" as timestamp,severity,component,context,msg 

Messages by components

_sourceCategory="mongo*" 
| count by component

Failed login attempts

_sourceCategory="mongo*" "authentication failed"  
| parse regex field=msg  "authentication failed for (?<user>[\S]+) on (?<database>[\S]+) from client (?<client_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}) ; (?<reason>[\s\S]+)" 
| count by timestamp, user, database, client_ip, reason
| fields - _count