Collect MongoDB logs

Supported in:

Google secops SIEM

This document explains how to ingest MongoDB logs to Google Security Operations using Bindplane.

MongoDB is a NoSQL document database that generates audit logs for CRUD operations, authentication events, database commands, and replica set operations. MongoDB writes structured JSON log files locally, which the Bindplane agent can collect directly from the file system.

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance
Windows Server 2016 or later, or Linux host with systemd
Network connectivity between the Bindplane agent and the MongoDB server
If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
Privileged access to the MongoDB server (root or database administrator role)
MongoDB Enterprise or MongoDB Community Edition with audit logging enabled

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Note: This JSON file contains credentials for authenticating the Bindplane agent to Google SecOps.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.

Note: The customer ID is required for configuring the Bindplane agent exporter.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

Open Command Prompt or PowerShell as an administrator.

Run the following command:

msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Wait for the installation to complete.
Verify the installation by running:
```
sc query observiq-otel-collector
```

The service should show as RUNNING.

Linux installation

Open a terminal with root or sudo privileges.

Run the following command:

sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

Wait for the installation to complete.

Verify the installation by running:

sudo systemctl status observiq-otel-collector

The service should show as active (running).

Additional installation resources

For additional installation options and troubleshooting, see Bindplane agent installation guide.

Configure the Bindplane agent to ingest logs and send to Google SecOps

Locate the configuration file

Linux:

sudo systemctl status observiq-otel-collector

Windows:

notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

Edit the configuration file

Replace the entire contents of config.yaml with the following configuration:

receivers:
    filelog:
        include:
            - /var/log/mongodb/auditLog.json
        start_at: beginning

exporters:
    chronicle/mongodb:
        compression: gzip
        creds_file_path: '/etc/bindplane-agent/ingestion-auth.json'
        customer_id: '<customer_id>'
        endpoint: malachiteingestion-pa.googleapis.com
        log_type: MONGO_DB
        raw_log_field: body
        ingestion_labels:
            env: production

service:
    pipelines:
        logs/mongodb_to_chronicle:
            receivers:
                - filelog
            exporters:
                - chronicle/mongodb

Configuration parameters

Replace the following placeholders:

Receiver configuration:
- filelog: The receiver type for collecting log files from disk
- include: List of file paths to monitor:
  - Linux: /var/log/mongodb/auditLog.json (default MongoDB audit log path)
  - Windows: C:\data\log\auditLog.json or your configured audit log path
- start_at: Set to beginning to read existing logs or end to only read new entries
Exporter configuration:
- mongodb: Descriptive name for the exporter
- creds_file_path: Full path to ingestion authentication file:
  - Linux: /etc/bindplane-agent/ingestion-auth.json
  - Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- <customer_id>: Customer ID from the previous step
- endpoint: Regional endpoint URL:
  - US: malachiteingestion-pa.googleapis.com
  - Europe: europe-malachiteingestion-pa.googleapis.com
  - Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
  - See Regional Endpoints for complete list
- MONGO_DB: Log type exactly as it appears in Chronicle
- ingestion_labels: Optional labels in YAML format (for example, env: production)
Pipeline configuration:
- mongodb_to_chronicle: Descriptive name for the pipeline

Save the configuration file

After editing, save the file:
- Linux: Press Ctrl+O, then Enter, then Ctrl+X
- Windows: Click File > Save

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux:

Run the following command:

sudo systemctl restart observiq-otel-collector

Verify the service is running:

sudo systemctl status observiq-otel-collector

Check logs for errors:

sudo journalctl -u observiq-otel-collector -f

To restart the Bindplane agent in Windows:

Choose one of the following options:
- Command Prompt or PowerShell as administrator:
```
net stop observiq-otel-collector && net start observiq-otel-collector
```
- Services console:
  1. Press Win+R, type services.msc, and press Enter.
  2. Locate observIQ OpenTelemetry Collector.
  3. Right-click and select Restart.
Verify the service is running:
```
sc query observiq-otel-collector
```

Check logs for errors:

type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

Configure MongoDB to generate audit logs

Sign in to the MongoDB server with administrator or root privileges.
Open the MongoDB configuration file (mongod.conf). Default locations:
- Linux: /etc/mongod.conf
- Windows: C:\Program Files\MongoDB\Server\<version>\bin\mongod.cfg
Verify that audit logging is enabled. In the mongod.conf file, confirm the following settings:
- auditLog.destination is set to file.
- auditLog.format is set to JSON.
- Note the auditLog.path (for example, /var/log/mongodb/auditLog.json).
- If audit logging is not enabled, add the following to mongod.conf:
```
auditLog:
  destination: file
  format: JSON
  path: /var/log/mongodb/auditLog.json
```

Restart the MongoDB service to apply the configuration:

Linux:
```
sudo systemctl restart mongod
```
Windows:
```
net stop MongoDB && net start MongoDB
```

Verify that the audit log file is being written at the configured path (for example, /var/log/mongodb/auditLog.json).
Ensure the Bindplane agent include path in config.yaml matches the auditLog.path configured in mongod.conf.

Note: MongoDB Enterprise is required for the audit logging feature. MongoDB Community Edition does not include built-in audit logging. Make sure the audit log path is readable by the Bindplane agent service account.

UDM mapping table

Log Field	UDM Mapping	Logic
ctx, connectionId, connectionCount, attr.protocol, attr.storage.data.bytesRead, attr.storage.data.timeReadingMicros, attr.command.$readPreference.mode, attr.queryHash, param_old, cluster_node, param.indexName, temp_db_value	additional.fields	Merged from various fields based on conditions
db_mechanism, param.mechanism	extensions.auth.auth_details	Value from db_mechanism if not empty, else param.mechanism
	extensions.auth.mechanism	Set to "MECHANISM_OTHER"
	extensions.auth.type	Set to "AUTHTYPE_UNSPECIFIED"
lb_hostname, src_hostname	intermediary.hostname	Value from lb_hostname if not empty, else src_hostname
lb_port, src_port	intermediary.port	Value from lb_port if not empty, else src_port (converted to integer)
msg	metadata.description	Value copied directly
	metadata.event_type	Set based on msg_atype, category, param_passwordChanged, param_command, remote_ip conditions
msg_atype, category	metadata.product_event_type	Value from msg_atype if not empty, else category
id, type, traceId	metadata.product_log_id	Value from id if not empty, else uuid.$binary if type == "04", else traceId
	metadata.product_name	Set to "MongoDB Enterprise"
	metadata.vendor_name	Set to "MongoDB"
application_name	principal.application	Value copied directly
accessLog.hostname	principal.asset.hostname	Value copied directly
remote_ip	principal.asset.ip	Value copied directly
software_label	principal.asset.software	Merged from software_label
accessLog.hostname	principal.hostname	Value copied directly
remote_ip	principal.ip	Value copied directly
os_type	principal.platform	Set to WINDOWS if matches Windows; MAC if matches osx or mac; LINUX if matches Linux
os_name, param.clientMetadata.os.name	principal.platform_patch_level	Value from os_name if not empty, else param.clientMetadata.os.name
os_version, param.clientMetadata.os.version	principal.platform_version	Value from os_version if not empty, else param.clientMetadata.os.version
remote_port	principal.port	Converted to integer
principal_userid	principal.user.userid	Value copied directly
sr_action	security_result.action	Value copied directly
param.reason, param.indexBuildState	security_result.description	Value from param.reason if msg_atype == "logout"; from param.indexBuildState if msg_atype in ["createIndex", "dropIndex"]
severity, level	security_result.severity	Set to INFORMATIONAL if severity in ["i", "I"] or level in ["INFO", "DEBUG"]; ERROR if severity in ["e", "E"] or level == "ERROR"; MEDIUM if severity in ["w", "W", "f", "F"]
msg_result, attr.error, attr.planSummary, reason, attr.msg_data	security_result.summary	Set based on msg_result, attr.error, attr.planSummary, reason, attr.msg_data conditions
db_value	target.administrative_domain	Value copied directly
application_name	target.application	Value copied directly
local_ip	target.asset.ip	Value copied directly
host_group	target.group.group_display_name	Value copied directly
local_ip	target.ip	Value copied directly
local_port	target.port	Converted to integer
old_name_label, cluster_node_label, mode_label, query_hash_label, bytes_read_label, time_reading_micro_label, environment_label, area_label	target.resource.attribute.labels	Merged from various label fields
param_ns, db_value, param_new, param.args.find	target.resource.name	Set based on msg_atype and param_command conditions
	target.resource.resource_subtype	Set to "MongoDB Database" for database/user events; "MongoDB Collection" for collection events; "MongoDB Index" for index events
	target.resource.resource_type	Set to "DATABASE" for database/user events; "TABLE" for collection/index events
db_user, param.user	target.user.userid	Value from db_user if not empty, else param.user

Need more help? Get answers from Community members and Google SecOps professionals.