-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MongoDB 4.4 logs are in .json format and not recognized #2932
Comments
<breathe-in> But, OK... [Definition]
datepattern = ^\{"t":\{"\$date":"%%Y-%%m-%%dT%%H:%%M:%%S\.%%f%%z"}\s*,\s*
_groupre = (?:"(?!(?:msg|attr|client|remote)\b)\w+":(?:"[^"]+"|\w+)\s*[,\}]\s*)
failregex = ^%(_groupre)s*"msg":"Authentication failed"\s*,\s*%(_groupre)s*"attr"\s*:\s*\{%(_groupre)s*"(?:client|remote)":"<ADDR>:\d+" (RE adjusted to consider #3046 log format - parses both Just... it is a bit weak (since IP is in nested dict after all that foreign input). Sure PCRE allows nesting (recursive parsing rules), but it's somehow ugly (especially if order of tags is not specified). |
Thank you @sebres ! I really appreciate the quick help. I think JSON parsing makes sense! Let me know if I can do anything to help. |
Apologies for bumping a 2 years old issue but this is now an issue again with latest MongoDB image from Docker, currently 6.0.4. The log format has changed again hence breaking the filter.
|
I don't see it is changed again. The filter from #2932 (comment) still find a match for your example log message. |
Environment:
The issue:
MongoDB 4.4 introduced output logging in structures json format. This change in formatting means the existing failure regex no longer recognizes failures.
Steps to reproduce
mongodb-auth
filter.Expected behavior
Should be recognized by the filter as a failed login.
Observed behavior
Not recognized by the filter.
The text was updated successfully, but these errors were encountered: