Table of Contents | ||||
---|---|---|---|---|
|
Introduction
The tags beginning with <technologydb.brand> identify mongodb identify events generated by Company. Add link to the Company website. MongoDB.
Valid tags and data tables
The full tag must can have n 6 levels. The first two are fixed as <technology db.brand>mongodb. The third level identifies the type of events sent, and the fourth level indicates the event subtype. Modify or remove this sentence according to the levels available
Technology | Brand | Type | Subtype | |
---|---|---|---|---|
technologydb | brandmongodb | type1 out ... |
... | venv |
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
---|---|
tag1 | table1 |
tag2 | table2 |
How is the data sent to Devo?
Use the info in the How is the data sent to Devo? section of the internal doc to fill this section with the required method
Event source → Relay → Devo
Logs generated by company must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:
Add all the rules following the format of the example below:
Relay rule 1 - Versa NGFW Access
Source Port → 13030
Source Data → (.*)accessLog, applianceName=(.*)
Target Tag → network.versa.ngfw.access
Select the Stop Processing and Sent without syslog tag checkboxes
Relay rule 2 - name
...
Event source → Collector → Devo
If there's documentation for the collector:
To send logs to these tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. You can download the collector and learn how to use it in Collector article.
Use this if the collector is not documented:
Logs generated by ... are forwarded to Devo using a dedicated collector. Contact us if you need to forward these events to your Devo domain so we can guide you through the process.
Event source → Devo (Syslog, HTTP...):
You can forward logs generated by Company using any Syslog drain (for example, Syslog-ng). Learn more about how to send Company logs and their structure here.
db.mongodb.out.venv.vapp.vclone | db.mongodb.out |
Log samples
The following are sample logs sent to each of the<technologydb.brand>mongodb data tables. Also, find how the information will be parsed in your data table under each sample log.
Note | ||
---|---|---|
| ||
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns. |
db.
...
Add this note only if the parser contains any Extra field
...
mongodb.out
Code Block |
---|
2021-12-15 17:12:11.052 2018-emea-0259.local=127.0.0.1 db.mongodb.out.venv.vapp.vclone: 2021-12-09T00:17:01.681+0000 I CONTROL [signalProcessingThread] Replica Set Config: { _id: "logtrust", version: 3, protocolVersion: 1, members: [ { _id: 0, host: "127.0.0.1:27017", arbiterOnly: false, buildIndexes: true, hidden: false, priority: 1.0, tags: {}, slaveDelay: 0, votes: 1 }, { _id: 1, host: "127.0.0.1:27017", arbiterOnly: false, buildIndexes: true, hidden: false, priority: 1.0, tags: {}, slaveDelay: 0, votes: 1 }, { _id: 2, host: "127.0.0.1:27017", arbiterOnly: true, buildIndexes: true, hidden: false, priority: 1.0, tags: {}, slaveDelay: 0, votes: 1 } ], settings: { chainingAllowed: true, heartbeatIntervalMillis: 2000, heartbeatTimeoutSecs: 10, electionTimeoutMillis: 10000, catchUpTimeoutMillis: 60000, getLastErrorModes: {}, getLastErrorDefaults: { w: 1, wtimeout: 0 }, replicaSetId: ObjectId(\'5c379794f63d3c454\') } }
2021-12-15 17:12:11.055 2018-emea-0259.local=127.0.0.1 db.mongodb.out.venv.vapp.vclone: 2021-12-09T00:17:01.681+0000 I CONTROL [signalProcessingThread] db version v3.4.18
2021-12-15 17:12:11.062 2018-emea-0259.local=127.0.0.1 db.mongodb.out.venv.vapp.vclone: 2021-12-09T00:17:01.681+0000 I CONTROL [signalProcessingThread] options: { config: "/bin/arrive.mp3", net: { bindIp: "201.122.17.197", http: { enabled: false }, ipv6: false, maxIncomingConnections: 65536, port: 27017 }, processManagement: { fork: false }, replication: { oplogSizeMB: 1024, replSetName: "logtrust" }, security: { authorization: "enabled", keyFile: "/opt/anything/cost/crime/continue.ppt-keyfile" }, storage: { dbPath: "/bin/cuba/meeting.flac", directoryPerDB: false, engine: "wiredTiger", journal: { enabled: true } }, systemLog: { destination: "file", logAppend: true, logRotate: "rename", path: "/dev/wonder/economy/light.doc" } }
2021-12-15 17:12:11.069 2018-emea-0259.local=127.0.0.1 db.mongodb.out.venv.vapp.vclone: 2021-12-10T02:00:00.111+0000 I COMMAND [conn3286] command oauth2.tokens command: aggregate { aggregate: "tokens", pipeline: [ { $project: { id: "$_id", token: "$access_token", date: "$creation_date", expire: "$expires_in", expiredTime: { $add: [ "$creation_date", "$expires_in" ] } } }, { $match: { date: { $exists: true }, expire: { $gt: 0 }, expiredTime: { $lt: 1639101600 } } } ], cursor: { batchSize: 2147483647 } } planSummary: COLLSCAN keysExamined:0 docsExamined:39764 cursorExhausted:1 numYields:312 nreturned:0 reslen:101 locks:{ Global: { acquireCount: { r: 638 } }, Database: { acquireCount: { r: 319 } }, Collection: { acquireCount: { r: 318 } } } protocol:op_query 110ms
|
And this is how the log would be parsed:
Field | Value | Type | Source field name | Extra fields |
---|---|---|---|---|
application |
|
| vapp | |
clone |
|
| vclone | |
components |
|
| ||
context |
|
| ||
environment |
|
| venv | |
eventdate |
|
| ||
hostchain |
|
| ✓ | |
hostname |
|
| ||
log_message |
|
| ||
rawMessage |
|
| ✓ | |
serverdate |
|
| ||
severity_level |
|
| ||
tag |
|
| ✓ |