Dashboard and delete stream that was connected to dashboard permission error after that

Graylog Central (peer support)
1

Hellu all!

any hints how to delete the stream id that are matchin in dashboard after i deleted the stream… its still present in mongodb. this cause permission denieds for users that have thoose dashboards. due to they dont have access to a stream that does not exists.

i can find it in views db but not in streams.

i know how to delete the stream id object in mongo cli but cant figure out how to do it in a dashbord and just match the sream id that are mapped in widget.
sure i can paste the output from mongo in json format but its long :slight_smile:

2

Hey @dio99

You should have an ID on your browser

image
image1034×365 13.4 KB

then look for that ID in Mongo
Example

> db.views.find({},{"full_name":1,"ObjectId":1});
{ "_id" : ObjectId("5a50378bffe8b131e9cb8ea9") }
{ "_id" : ObjectId("5f1a03f6fc4c8f84090dbbf9") }
{ "_id" : ObjectId("6035ab5ec131d1e60f6b15b4") }
{ "_id" : ObjectId("6035b016a0f28f5e0b86cad5") }
{ "_id" : ObjectId("6194356a33abac39e4f7b6ce") }
{ "_id" : ObjectId("61b1431428b37319e15ade65") } < ------------------- HERE
{ "_id" : ObjectId("62e36711ce8c7a2e9c0c4611") }
{ "_id" : ObjectId("6365a35244f604d2ca23bbe5") }
{ "_id" : ObjectId("63bf97fca8f6d0bec52e2c6f") }
{ "_id" : ObjectId("63c09a00a8f6d0bec52e2c7f") }
{ "_id" : ObjectId("63c745d941ae36495a5b3c95") }
{ "_id" : ObjectId("63f42d91552f72b2057aad37") }
{ "_id" : ObjectId("63f6a4e7847d2bd0eadf1a72") }
{ "_id" : ObjectId("63f6a4f817e55cb7e21c4bc7") }
{ "_id" : ObjectId("63f6cfdccf9cc97e0638b1dd") }
{ "_id" : ObjectId("63f8278724f18e56358b868b") }
{ "_id" : ObjectId("641242f80a740a44dc113b9e") }
{ "_id" : ObjectId("645c36b4269d8c485e5ce7ef") }
>

MongoDb 4.x you can use something like this.

mongoexport  -u admin -p  password123 --collection=views--db=graylog  --fields="ObjectId"
3

yes and thanks i can find it but im not sure how to remove the object in stream id thats are in the widget
the stream id is not in streams but only in the dashboard
this id for example 6374a954f64b1801b7413c17

{
“_id” : ObjectId(“6374a954f64b1801b7413c26”),
“type” : “DASHBOARD”,
“title” : “Windows Sec Logs”,
“summary” : “This dashboard was migrated automatically.”,
“description” : “Security eventsid”,
“search_id” : “648af3f5f2dc742ec6c86d7d”,
“properties” : ,
“requires” : {

    },
    "state" : {
            "00000171-88f9-1f15-940c-0a58ac1001d7" : {
                    "titles" : {
                            "widget" : {
                                    "00000171-88f9-1ee0-940c-0a58ac1001d7" : "Tier0 Group Changed 7D",
                                    "00000171-88f9-1ee1-940c-0a58ac1001d7" : "Tier0 Group Changed 7D",
                                    "00000171-88f9-1ee2-940c-0a58ac1001d7" : "Sources Account Lockout 7D",
                                    "00000171-88f9-1ef3-940c-0a58ac1001d7" : " Filtering Platform Packet SourceIP Drop 1D",
                                    "00000171-88f9-1ee3-940c-0a58ac1001d7" : "Sources Account Lockout 7D",
                                    "00000171-88f9-1ef4-940c-0a58ac1001d7" : " Filtering Platform Packet SourceIP Drop 1D",
                                    "00000171-88f9-1ee6-940c-0a58ac1001d7" : "High Criticality Events 7D",
                                    "00000171-88f9-1ed7-940c-0a58ac1001d7" : "Eventid 4776 and user name does not exist, user name is correct but the password is wrong,user tried to logon outside his day of week or time of day restrictions",
                                    "00000171-88f9-1ed8-940c-0a58ac1001d7" : "Eventid 4776 and user name does not exist, user name is correct but the password is wrong,user tried to logon outside his day of week or time of day restrictions",
                                    "00000171-88f9-1ed9-940c-0a58ac1001d7" : "Audit Log Cleared 7D",
                                    "3366cd3c-22d2-47ed-bd2b-845a09bff1ec" : "Installed applications 7D",
                                    "00000171-88f9-1eda-940c-0a58ac1001d7" : "Audit Log Cleared 7D",
                                    "00000171-88f9-1edb-940c-0a58ac1001d7" : "BSOD",
                                    "00000171-88f9-1eed-940c-0a58ac1001d7" : "Lockedout accounts 1D",
                                    "00000171-88f9-1eee-940c-0a58ac1001d7" : "Lockedout accounts 1D"
                            },
                            "tab" : {
                                    "title" : "Windows Sec Logs"
                            }
                    },
                    "widgets" : [
                            {
                                    "id" : "00000171-88f9-1ed7-940c-0a58ac1001d7",
                                    "type" : "aggregation",
                                    "timerange" : {
                                            "type" : "relative",
                                            "from" : 604800
                                    },
                                    "query" : {
                                            "type" : "elasticsearch",
                                            "query_string" : "EventID:4776  AND (Status:0xc0000064 OR Status:0xc000006a OR Status:0xc000006f)"
                                    },
                                    "streams" : [
                                            "6374a954f64b1801b7413c10"
                                    ],
                                    "config" : {
                                            "row_pivots" : [
                                                    {
                                                            "field" : "TargetUserName",
                                                            "type" : "values",
                                                            "config" : {
                                                                    "limit" : 10
                                                            }
                                                    },
                                                    {
                                                            "field" : "Status",
                                                            "type" : "values",
                                                            "config" : {
                                                                    "limit" : 15
                                                            }
                                                    }
                                            ],
                                            "column_pivots" : [ ],
                                            "series" : [
                                                    {
                                                            "config" : {

                                                            },
                                                            "function" : "count()"
                                                    }
                                            ],
                                            "sort" : [
                                                    {
                                                            "type" : "series",
                                                            "field" : "count()",
                                                            "direction" : "Descending"
                                                    }
                                            ],
                                            "visualization" : "pie",
                                            "rollup" : true,
                                            "event_annotation" : false
                                    }
                            },
                            {
                                    "id" : "00000171-88f9-1ee2-940c-0a58ac1001d7",
                                    "type" : "aggregation",
                                    "timerange" : {
                                            "type" : "relative",
                                            "from" : 604800
                                    },
                                    "query" : {
                                            "type" : "elasticsearch",
                                            "query_string" : "EventID:4740"
                                    },
                                    "streams" : [
                                            "6374a954f64b1801b7413c10"
                                    ],
                                    "config" : {
                                            "row_pivots" : [
                                                    {
                                                            "field" : "TargetDomainName",
                                                            "type" : "values",
                                                            "config" : {
                                                                    "limit" : 15
                                                            }
                                                    }
                                            ],
                                            "column_pivots" : [ ],
                                            "series" : [
                                                    {
                                                            "config" : {

                                                            },
                                                            "function" : "count()"
                                                    }
                                            ],
                                            "sort" : [
                                                    {
                                                            "type" : "series",
                                                            "field" : "count()",
                                                            "direction" : "Descending"
                                                    }
                                            ],
                                            "visualization" : "pie",
                                            "rollup" : true,
                                            "event_annotation" : false
                                    }
                            },
                            {
                                    "id" : "00000171-88f9-1ed8-940c-0a58ac1001d7",
                                    "type" : "aggregation",
                                    "timerange" : {
                                            "type" : "relative",
                                            "from" : 604800
                                    },
                                    "query" : {
                                            "type" : "elasticsearch",
                                            "query_string" : "EventID:4776  AND (Status:0xc0000064 OR Status:0xc000006a OR Status:0xc000006f)"
                                    },
                                    "streams" : [
                                            "6374a954f64b1801b7413c17",     **< ------------------- HERE**
                                            "6374a954f64b1801b7413c10",
                                            "6374a954f64b1801b7413c02",
                                            "6374a954f64b1801b7413c0a"
                                    ],
4

To be honest: I think this is a bug in Graylog which should be fixed. You might fix it in your own instance with some edits in MongoDB, but this is an ugly state. May I suggest to open an issue here?

1 Like
5

What version of graylog are you using? Also can you share what steps you took to reach that error state? For example:

  1. create stream
  2. edit dashboard in some way that references stream (how or what specifically?)
  3. delete stream
  4. error?

I very quickly tried to recreate this but was unable to using the latest build of Graylog 5.1.2.

Thanks!

6

Hey @dio99

Yeah man, it not good when you have to delete UID’s in MongoDb. It might create more issues.

7

Hellu

  1. it was exported dashabords and stream fomr other graylog install version 4.1.13
    imported to same version.
  2. edit the dashboard and also the streams, deleted not needed streams
    4 no error whne did this
    error is that it still contain the stream id in the dashbord in db so that cause a users that have acces to the dashboard that he misses stream persmissiions on thoose missing stream id in the dashboard widgets.

// Anders

8

yes one way would edit the export json and delete the dahsbaord and reimport the json file without the missing stream id’s.
but i want to delete the id’s in db and not sure how to do that :slight_smile:

9

Hey @dio99

By no means am i suggestion this to you, but :slight_smile: This may help.

10

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.