-
Notifications
You must be signed in to change notification settings - Fork 201
/
0405-mongodb_decoders.xml
65 lines (56 loc) · 2.73 KB
/
0405-mongodb_decoders.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
<!--
- MongoDB decoders
- Created by Wazuh, Inc.
- Copyright (C) 2015-2020, Wazuh Inc.
- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->
<!--
<timestamp> <severity> <component> [<context>] <message>
-->
<decoder name="mongodb">
<prematch>^\d+-\d+-\d+T\d+:\d+:\d+.\d+\p\d+ \w \S+\s+[\w+] </prematch>
</decoder>
<!--
2017-03-27T19:32:31.916+0200 I ACCESS [conn10000] Successfully authenticated as principal snapshots on myUser
-->
<decoder name="mongodb-successauth">
<parent>mongodb</parent>
<prematch offset="after_parent">^Successfully authenticated</prematch>
<regex>^\d+-\d+-\d+T\d+:\d+:\d+.\d+\p\d+ (\w) (\S+)\s+[(\w+)] Successfully authenticated as principal snapshots on (\w+)</regex>
<order>mongodb.severity,mongodb.component,mongodb.context,srcuser</order>
</decoder>
<!--
2017-03-27T19:32:33.916+0200 I NETWORK [conn10000] end connection 10.10.10.10:33658 (15 connections now open)
-->
<decoder name="mongodb-endconnection">
<parent>mongodb</parent>
<prematch offset="after_parent">^end connection</prematch>
<regex>^\d+-\d+-\d+T\d+:\d+:\d+.\d+\p\d+ (\w) (\S+)\s+[(\w+)] end connection (\S+):(\d+) \((\d+)</regex>
<order>mongodb.severity,mongodb.component,mongodb.context,srcip,srcport,mongodb.connections</order>
</decoder>
<!--
2017-03-27T19:32:35.916+0200 I NETWORK [initandlisten] connection accepted from 10.10.10.10:32768 #19309 (10 connections now open)
-->
<decoder name="mongodb-connectionaccepted">
<parent>mongodb</parent>
<prematch offset="after_parent">^connection accepted</prematch>
<regex>^\d+-\d+-\d+T\d+:\d+:\d+.\d+\p\d+ (\w) (\S+)\s+[(\w+)] connection accepted from (\S+):(\d+) #(\d+) \((\d+)</regex>
<order>mongodb.severity,mongodb.component,mongodb.context,srcip,srcport,mongodb.nconnection,mongodb.connections</order>
</decoder>
<!--
2016-03-31T15:07:04.807-0500 I ACCESS [conn3] SCRAM-SHA-1 authentication failed for newdbUser on newdb from client 127.0.0.1 ; AuthenticationFailed SCRAM-SHA-1 authentication failed, storedKey mismatch
-->
<decoder name="mongodb-authfailed">
<parent>mongodb</parent>
<prematch offset="after_parent">^\S+ authentication failed</prematch>
<regex>^\d+-\d+-\d+T\d+:\d+:\d+.\d+\p\d+ (\w) (\S+)\s+[(\w+)] \S+ authentication failed for (\S+) on (\S+) from client (\S+) ;</regex>
<order>mongodb.severity,mongodb.component,mongodb.context,srcuser,mongodb.database,srcip</order>
</decoder>
<!--
2017-03-27T19:32:32.916+0200 I COMMAND [conn13388] killcursors: found 0 of 1
-->
<decoder name="mongodb-generic">
<parent>mongodb</parent>
<regex>^\d+-\d+-\d+T\d+:\d+:\d+.\d+\p\d+ (\w) (\S+)\s+[(\w+)] </regex>
<order>mongodb.severity,mongodb.component,mongodb.context</order>
</decoder>