How to pull mongodb logs with Wazuh agent? - mongodb

I did following settings on /var/ossec/etc/ossec.conf and after that I restart agent but it's not showing logs on the Kibana dashboard
<localfile>
<log_format>syslog</log_format>
<location>/var/log/mongodb/mongod.log</location>

I performed a basic installation of Wazuh + MongoDB on agent side with the following results:
MongoDB by default writes inside syslog file located at /var/log/syslog.
Inside /var/log/mongodb/mongod.log there are internal mongo daemon logs that are more specific.
We could monitor such logs on Wazuh agent by:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
This rule is included by default on the agent but anyway is good to remember.
the other one as you point it out:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/mongodb/mongod.log</location>
</localfile>
I only see that you didn't copy the closing tag </location> but it could be copy mistake, whatever is good to take a look at /var/ossec/logs/ossec.log to find some error.
With that configuration we could receive alerts like this:
** Alert 1595929148.661787: - syslog,access_control,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2020 Jul 28 09:39:08 (ubuntu-bionic) any->/var/log/mongodb/mongod.log
Rule: 2501 (level 5) -> 'syslog: User authentication failure.'
2020-07-28T09:39:07.431+0000 I ACCESS [conn38] SASL SCRAM-SHA-1 authentication failed for root on admin from client 127.0.0.1:52244 ; UserNotFound: Could not find user "root" for db "admin"
If we run mongo -u root (with bad password) on agent side.

Related

Postgresql - LDAP Authentication against Active Directory (AD) - trouble from linux server while ok from windows server

EDIT
I put the same pg_hba rule on the postgresql installed on my WINDOWS laptop, and it works... so I changed titled : how can I make my linux server work to authenticate users with AD, like the windows Pg server does ?
/ EDIT
I need to perform authentication of postgresql db users with our Active Directory servers. I've tested lots of configurations but so far, I couldn't find why postgresql users can't be authenticated with this authentication methode.
LDAP : Active Directory / Postgresql : Postgresql 9.4
Here is the pg_hba rule I use :
host myDB myUser localhost ldap ldapserver="192.168.10.1" ldapbasedn="DC=companygroup,DC=priv" ldapbinddn="cn=LDAP - Lecture,ou=Users,ou=Specials Objects,dc=companygroup,dc=priv" ldapbindpasswd="ldapPassWord" ldapsearchattribute="sAMAccountName"
When logging with 'myUser' with the correct password for this user, I have the following logs in postgresql log file :
2015-11-18 10:01:50 CET [25991-1] [unknown]#[unknown] LOG: 00000: connection received: host=127.0.0.1 port=39074
2015-11-18 10:01:50 CET [25991-2] [unknown]#[unknown] LOCATION: BackendInitialize, postmaster.c:4003
2015-11-18 10:01:50 CET [25991-3] myUser#myDB LOG: 00000: could not search LDAP for filter "(sAMAccountName=myUser)" on server "192.168.10.1": Operations error
2015-11-18 10:01:50 CET [25991-4] myUser#myDB LOCATION: CheckLDAPAuth, auth.c:2030
2015-11-18 10:01:50 CET [25991-5] myUser#myDB FATAL: 28000: LDAP authentication failed for user "myUser"
2015-11-18 10:01:50 CET [25991-6] myUser#myDB DETAIL: Connection matched pg_hba.conf line 104: "host myDB myUser localhost ldap ldapserver="192.168.10.1" ldapbasedn="DC=companygroup,DC=priv" ldapbinddn="cn=LDAP - Lecture,ou=Users,ou=Specials Objects,dc=companygroup,dc=priv" ldapbindpasswd="ldapPassWord" ldapsearchattribute="sAMAccountName"
I saw that if I change somehow ldapbinddn or ldapbindpasswd, I have another error like 'couldn't perform initial LDAP bind for ldapbinddn "...". so these parameters should be ok.
"Operations error" was no very detailed, so I tcpdump the authentication process and here is what I found. It seems that Postgres perform two queries :
First to search the user via the search attribute. This action seems OK because in the response of Active Directory, I saw information tied to my user.
Then another query is performed. On this one, the real message from the LDAP Active directory server is :
LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0 , v1db1
On this second query, I see that PG seem to change slightly the base search with
"DC=ForestDnsZones,DC=companygroup,dc=priv" instead of "DC=companygroup,DC=priv"
(I saw it in the tcp trace :
LDAPMessage searchRequest(3) "DC=ForestDnsZones,DC=companygroup,dc=priv" wholeSubtree ...
)
When I tried a research thanks to windows soft "ldapbrowser", I was abled to find my account with a simple filter (sAMAccountName=myUser), with the searchDN DC=companygroup,DC=priv
Is my understanding correct ? is it possible that the search is not successful just because of the basedn that is maybe changed ? or do I miss something else ?
Based on your log, your configuration for ldapsearchattribute="sAMAccountName" doesn't work.
You can use a LDAP tool such as LDAPAdmin or OpenLDAP to test your filter. Make sure that the above return result when your filter the attribute below
(sAMAccountName=myUser)

MMS Cannot connect to local machine for backup purposes

I am trying to use mongoDB MMS backup functionality. I am getting the following error when trying to connect in the "Add Host" part of the wizard.
Unable to detect host within check interval.
I have MongoDB 2.6.4 on a my Windows 7 laptop. I've created an admin user with the following privileges:
> db.createUser(
... {
... user: "admin",
... pwd: "xxx"
... roles: [
... "clusterAdmin",
... "readAnyDatabase",
... "dbAdminAnyDatabase",
... "userAdminAnyDatabase"
... ]
... }
... );
I run mongod --auth.
Now I try to connect via MMS using MONGODB-CR Auth mechanism and get the error I described above.
In the log I get many errors like the following:
[2014/10/21 09:13:59] [monitoring.info] [monitoring-agent/components/agent.go:551]
Starting 2 marshal handlers
[2014/10/21 09:14:21] [monitoring.error] [monitoring-agent/components/agent.go:314]
Failed to fetch Conf
Failure getting conf. Op: Get Err: dial tcp [I've hide the IP]:443: ConnectEx tcp:
A connection attempt failed because the connected party did not properly respond after
a period of time, or established connection failed because connected host has failed
to respond.
at monitoring-agent/components/conf.go:249
at monitoring-agent/components/agent.go:312
at mongodb.com/monitoring-agent/monitoring-agent-service.go:129
at winsvc/svc/service.go:200
at pkg/runtime/proc.c:1445
Using Robomongo 0.8.4 client I was able to log-in using the user and pass.
I want to be able for MMS to connect to my local machine and initialize a backup of the databases on my machine.
Thanks in advance.
I had this error while configuring my mongodb-mms. On my Ops Manager server I had configured my TLS connections correctly, but on the mongo server being monitored I had the incorrect TLS certificate. The log /var/log/mongodb-mms-automation/monitoring-agent.log on the agent I was trying to monitor helped me out:
[2020/04/26 02:05:47.363] [discovery.collector-mongo2:27017.error] [components/discovery.go:contexts:580] Discovery commands requiring authentication will be skipped.
Failed to get connectionStatus. Err: `auth error: round trip error: (UserNotFound) Could not find user "CN=mms,OU=TestClientCertificateOrgUnit,O=TestClientCertificateOrg,L=TestClientCertificateLocality,ST=TestClientCertificateState,C=US" for db "$external"`
at monitoring-agent/components/dialing.go:442
at monitoring-agent/components/dialing.go:200
at monitoring-agent/components/dialing.go:306
at monitoring-agent/components/dialing.go:323
at louisaberger/procexec/concurrency.go:45
at src/runtime/asm_amd64.s:1357
See this page to add in your mms user so that the user can authenticate correctly (or fix your certs if it's just a mixup).

wso2 client-checkin restore

I am using WSO2 Governance Registry v 4.6.0 and am trying to migrate the structure I have in an H2 backed test instance to a Postgres backed production instance (separate VMs for the Web server and database) using client-checkin.
I have successfully checked out the registry from the H2 instance but I am struggling to check it in to the Postgress system.
On the test instance I ran
./checkin-client.sh co https://localhost:9443/registry -u admin -p admin -f /../../../registry_checkout/registry.dump
to create the dump.
On the production system I executed
./checkin-client.sh ci https://arc-gov:9443/registry -u admin -p admin -f /../registry.dump
and get the following error below. (And yes I know the password is the same, it will change when I get it to work!). The url here is that of the wso2 web server not the Postgres database.
Any help would be much appreciated.
[2014-10-09 10:34:05,672] ERROR - Error in restoring the path. Make sure the registry is up and running Or the username, password is correct! and check the user have the WRITE permission to the path.
path: /
registry url: https://arc-gov:9443/registry
username: admin {org.wso2.registry.checkin.Client}
org.wso2.carbon.registry.synchronization.SynchronizationException: message code: ERROR_IN_RESTORING, parameters: {path: /, registry url: https://arc-gov:9443/registry, username: admin
at org.wso2.carbon.registry.synchronization.operation.CheckInCommand.restoreFromFile(CheckInCommand.java:207)
at org.wso2.carbon.registry.synchronization.operation.CheckInCommand.execute(CheckInCommand.java:164)
at org.wso2.registry.checkin.Checkin.execute(Checkin.java:70)
at org.wso2.registry.checkin.Checkin.execute(Checkin.java:56)
at org.wso2.registry.checkin.Client.execute(Client.java:272)
at org.wso2.registry.checkin.Client.start(Client.java:67)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.wso2.carbon.bootstrap.Bootstrap.loadClass(Bootstrap.java:63)
at org.wso2.carbon.bootstrap.CheckinClientBootstrap.main(CheckinClientBootstrap.java:36)
Caused by: org.wso2.carbon.registry.core.exceptions.RegistryException: Restoring to / failed.
at org.wso2.carbon.registry.app.RemoteRegistry.restore(RemoteRegistry.java:1725)
at org.wso2.carbon.registry.app.RemoteRegistry.restore(RemoteRegistry.java:1665)
at org.wso2.carbon.registry.synchronization.operation.CheckInCommand.restoreFromFile(CheckInCommand.java:198)
... 11 more
WSO2 Governance Registry does not support check-out , check-in from top level collection paths.[1] (i.e. /_system/governance/ and /_system/config/)
Instead we recommend that you check-out check-in from child collection paths.
There seems to be an issue with dumping remote registry path collections on Greg 4.6.0. [2]
You can also find the fix attached to [2]
[1] https://docs.wso2.com/display/Governance460/Check-in+Client+Examples
[2] https://wso2.org/jira/browse/REGISTRY-2044

Can't Connect to MongoDB from play app with salat: command failed [listDatabases]

I am trying to get started with the salat plugin in playframework. I have configured the database in application.conf and added all the dependencies to Build.scala and added salat to the play.plugins file. I haven't actually added any code to the project yet, I just followed the instructions on the github page, and then tried to run the project. I am getting the following error message
(Server started, use Ctrl+D to stop and go back to the console...)
[info] play - mongodb [default] connected at heroku_app4620908#ds031907.mongolab.com:31907/heroku_app4620908
[error] application -
! #6bchnaacn - Internal server error, for request [GET /] ->
play.api.Configuration$$anon$1: Configuration error [couldn't connect to [ds031907.mongolab.com/107.21.153.211:31907]]
at play.api.Configuration$.play$api$Configuration$$configError(Configuration.scala:71) ~[play_2.9.1-2.0.3.jar:2.0.3]
at play.api.Configuration.reportError(Configuration.scala:258) ~[play_2.9.1-2.0.3.jar:2.0.3]
at se.radley.plugin.salat.SalatPlugin$$anonfun$onStart$1.apply(SalatPlugin.scala:105) ~[play-plugins-salat_2.9.1-1.0.8.jar:1.0.8]
at se.radley.plugin.salat.SalatPlugin$$anonfun$onStart$1.apply(SalatPlugin.scala:98) ~[play-plugins-salat_2.9.1-1.0.8.jar:1.0.8]
at scala.collection.TraversableLike$$anonfun$map$1.apply(TraversableLike.scala:194) ~[scala-library.jar:0.11.3]
at scala.collection.TraversableLike$$anonfun$map$1.apply(TraversableLike.scala:194) ~[scala-library.jar:0.11.3]
Caused by: com.mongodb.CommandResult$CommandFailure: command failed [listDatabases]: { "serverUsed" : "db-uri" , "errmsg" : "need to login" , "ok" : 0.0}
at com.mongodb.CommandResult.getException(CommandResult.java:88) ~[mongo-java-driver-2.8.0.jar:na
at com.mongodb.CommandResult.throwOnError(CommandResult.java:134) ~[mongo-java-driver-2.8.0.jar:na]
at com.mongodb.Mongo.getDatabaseNames(Mongo.java:356) ~[mongo-java-driver-2.8.0.jar:na]
at com.mongodb.casbah.MongoConnection.getDatabaseNames(MongoConnection.scala:190) ~[casbah-core_2.9.1-2.4.1.jar:2.4.1]
at se.radley.plugin.salat.SalatPlugin$$anonfun$onStart$1.apply(SalatPlugin.scala:103) ~[play-plugins-salat_2.9.1-1.0.8.jar:1.0.8]
at se.radley.plugin.salat.SalatPlugin$$anonfun$onStart$1.apply(SalatPlugin.scala:98) ~[play-plugins-salat_2.9.1-1.0.8.jar:1.0.8]
I am stumped because I added my password and everything to the conf file. From the log it looks as though whatever is trying to connect to the database for me, is not logging in first, using the info I provided.
As you say, it looks like the root issue is that MongoDB is rejecting the command "listDatabases". This command requires administrator access to the MongoDB process since it reveals information about the other databases hosted there.
Unfortunately, the message it returns, "need to login", is a little misleading. You have logged in! You just don't have permission to list the databases.
Here's a simple experiment you can try yourself with the MongoDB shell. See that "show dbs" fails with the same error message you got in your app, but "show collections", which doesn't require access to any other databases outside your own, succeeds?
% mongo ds031907.mongolab.com:31907/heroku_app4620908 -u heroku_app4620908 -p your_password
MongoDB shell version: 2.0.7
connecting to: ds031907.mongolab.com:31907/heroku_app4620908
> show dbs
Fri Aug 17 13:12:10 uncaught exception: listDatabases failed:{ "errmsg" : "need to login", "ok" : 0 }
> show collections
system.indexes
system.users
(Note: I did this with my own MongoLab account and modified the text when copying and pasting here so you could just copy it into your terminal.)
Is there a way to avoid making the listDatabases call? I'm not familiar with the framework you're using.
I've the problem as well...
it should come with the SalatPlugin's onStart method that is requesting all database names: source._2.connection.getDatabaseNames().
This code is just testing the aliveness of the server...
I'm gonna check with leon how we could this differently! Sadly, you won't be able to connect until this will be fixed!
Stay tuned on this issue https://github.com/leon/play-salat/issues/23
This is fixed in the latest version of play-salat, it now uses getCollectionNames instead
use admin
db.addUser('userName', 'userPassword')
db.auth('userName', 'userPassword')
show dbs
java:
DB db = mongo.getDB("YouDBName") ;
db.authenticate("userName", "userPassword".toCharArray()) ;
System.out.println(mongo.getDatabaseNames()) ;

MongoDB : Cloning Database error?

When I try to clone my mongo database from other machine, I see the following on client
db.cloneDatabase('10.10.124.110')
{ "errmsg" : "query failed staging.system.namespaces", "ok" : 0 }
and on server I see
Thu Nov 10 11:29:01 [conn10] assertion 10057 unauthorized db:staging lock type:-1 client:10.10.124.110 ns:staging.system.namespaces query:{}
How can I resolve this issue?
That error seems a lot like this one https://jira.mongodb.org/browse/SERVER-2846 where an error is thrown because copyDatabase() ... which cloneDatabase() uses ... requires Admin privileges. In that case the user is using a hosted MongoDB instance where they didn't have admin privileges.
You can see some more about how to use the copyDatabase() command here and here.
So, for example if you are using -auth a username/password you'll need to run the copyDatabase() command like this:
> db.copyDatabase(from_db, to_db, from_host, username, password);
I was able to just resolve this error by querying the PRIMARY host in a replicaSet, rather than the SECONDARY.