MongoDB 3.2.11を使用して、 Audit を有効にします。
バージョン2.6の新機能。
MongoDB Enterpriseには、mongodおよびmongosインスタンスの監査機能が含まれています。監査機能により、管理者とユーザーは、複数のユーザーとアプリケーションを使用した展開のシステムアクティビティを追跡できます。
これが私たちのスタートアップ構成ですmongodb.conf
auditLog:
destination: file
filter: '{ atype: { $in: [ "createCollection", "dropCollection", "createDatabase",
"createIndex", "renameCollection", "dropDatabase", "dropIndex", "createUser",
"dropUser", "dropAllUsersFromDatabase", "updateUser", "grantRolesToUser", "revokeRolesFromUser",
"createRole", "updateRole", "dropRole", "dropAllRolesFromDatabase", "grantRolesToRole",
"revokeRolesFromRole", "grantPrivilegesToRole", "revokePrivilegesFromRole", "enableSharding",
"shardCollection", "addShard", "removeShard", "shutdown", "applicationMessage",
"authCheck" ] } }'
format: BSON
path: /opt/mongouser/store/mongodb-audit
net:
port: 27000
operationProfiling: {}
processManagement:
fork: "true"
replication:
replSetName: rs-testname
security:
authorization: enabled
keyFile: /opt/mongouser/store/auto-mms/keyfile
storage:
dbPath: /opt/mongouser/store/mongodb-data/rs-testname_1
directoryPerDB: true
engine: wiredTiger
wiredTiger:
engineConfig:
directoryForIndexes: true
systemLog:
destination: file
path: /opt/mongouser/store/mongodb-data/rs-testname_1/mongodb.log
mongodb.log
(唯一のエントリ)。ここでは、起動時の strace 出力です。
2017-02-23T16:20:54.430+0000 F CONTROL [main] Failed global initialization: FileNotOpen: Failed to open "/opt/mongouser/store/mongodb-audit/"
: exit status 1
出力(stdout/stderr):
about to fork child process, waiting until server is ready for connections.
forked process: 56468
ERROR: child process failed, exited with error number 1
ディレクトリ権限。データディレクトリと監査ディレクトリには同じ権限があります。データディレクトリが機能します。
# ls -ald mongodb-*
drwxrwxrwx 2 mongouser mongouser 17 Feb 23 16:19 mongodb-audit
drwxrwxrwx 3 mongouser mongouser 37 Dec 7 11:14 mongodb-data
drwxr-xr-x 6 mongouser mongouser 4096 Dec 7 11:24 auto-mms
最大の冗長性を追加しましたが、mongodb.log
にはまだ1行しかありません
systemLog:
destination: file
path: /path/mongodb.log
verbosity: 5
linuxボックスについて。検索エンジンを使用すると、Windowsベースのシステムでのみ同様のエラーが見つかります。
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"
何が悪いのですか?
strace
と-f
マニュアルから
-f Trace child processes as they are created by currently traced processes as a result of the fork(2), vfork(2) and clone(2) system calls. Note that -p PID -f will attach all threads of
process PID if it is multi-threaded, not only thread with thread_id = PID.
出力
[pid 26580] open("/etc/sasl2/mongodb.conf", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 26580] open("/etc/sasl/mongodb.conf", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 26580] open("/usr/lib/x86_64-linux-gnu/sasl2/mongodb.conf", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 26580] open("/usr/lib/sasl2/mongodb.conf", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 26580] openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 5
[pid 26580] getdents(5, /* 5 entries */, 32768) = 160
[pid 26580] getdents(5, /* 0 entries */, 32768) = 0
[pid 26580] close(5) = 0
[pid 26580] openat(AT_FDCWD, "/usr/lib/sasl2", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 5
[pid 26580] getdents(5, /* 2 entries */, 32768) = 48
[pid 26580] getdents(5, /* 0 entries */, 32768) = 0
[pid 26580] close(5) = 0
[pid 26580] open("/dev/urandom", O_RDONLY) = 5
[pid 26580] read(5, "\300\7&&\345\375\210\7}\\\23&\361\371\271\323\370\22\244 \177\213\23\322A\230s\253ACi\275"..., 8191) = 8191
[pid 26580] open("/dev/urandom", O_RDONLY) = 6
[pid 26580] read(6, "\5\231\332\351\32\2@L\362\202\354\350?|\207\340\241\271\222#\26\366Xuc\215\360FT\363N\236"..., 8191) = 8191
[pid 26580] close(6) = 0
[pid 26580] open("/dev/urandom", O_RDONLY) = 6
[pid 26580] open("/var/vcap/store/mongodb-audit", O_WRONLY|O_CREAT|O_APPEND, 0666) = -1 EISDIR (Is a directory)
[pid 26580] write(4, "2017-02-27T08:32:41.623+0000 F C"..., 137) = 137
[pid 26580] exit_group(1) = ?
[pid 26580] +++ exited with 1 +++
[pid 26579] <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 26580
[pid 26579] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=26580, si_status=1, si_utime=0, si_stime=0} ---
[pid 26579] exit_group(1) = ?
[pid 26579] +++ exited with 1 +++
<... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 26579
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=26579, si_status=1, si_utime=0, si_stime=0} ---
write(1, "ERROR: child process failed, exi"..., 56ERROR: child process failed, exited with error number 1
) = 56
exit_group(1) = ?
+++ exited with 1 +++
path: /opt/mongouser/store/mongodb-audit
はディレクトリですが、bson
拡張子の付いた通常のファイルである必要があります。
auditLog:
destination: file
filter: '{ atype: { $in: [ "createCollection", "dropCollection", "createDatabase",
"createIndex", "renameCollection", "dropDatabase", "dropIndex", "createUser",
"dropUser", "dropAllUsersFromDatabase", "updateUser", "grantRolesToUser", "revokeRolesFromUser",
"createRole", "updateRole", "dropRole", "dropAllRolesFromDatabase", "grantRolesToRole",
"revokeRolesFromRole", "grantPrivilegesToRole", "revokePrivilegesFromRole", "enableSharding",
"shardCollection", "addShard", "removeShard", "shutdown", "applicationMessage",
"authCheck" ] } }'
format: BSON
path: /opt/mongouser/store/mongodb-audit/log.bson
次の変更を使用して試してみることができます(末尾の/なし)。
path: /opt/mongouser/store/mongodb-audit
の代わりに:
path: /opt/mongouser/store/mongodb-audit/