1 host configured as server and 2 hosts as ElasticSearch data nodes. This was working find for around a month, but as of today, it appears like it completely wiped itself out. I see the data is still on the Elastic Search nodes, but when logging into the website, it’s basically like the first time I’ve ever logged in to it. All inputs and users have been wiped.
Logged into mongo, at I see 3 DB’s (warning, graylog, local), but I am not seeing any tables or collections in any of these. I’ve looking at the logs in /var/log/graylog/ but everything in there is current and this could have happened during the last 3-4 days.
Is there any way I can restore all the configuration changes I have made? If not, how do I stop this from occurring in the future?
do you have anything in your MongoDB log files that could be related to this?
See mongodb log if any dropDatabase command has been executed or not. Generally its /var/log/mongo/mongo.log. Or see /etc/mongo.conf for log file location. Source
I have no way to read the old ones as well. Doing a find, I couldn’t even find that conf on the server. Maybe I am missing something, but this is a definite problem.
EDIT:
So I was able to read these files using gunzip -c filename and found this:
2018-09-10_11:21:21.65153 2018-09-10T06:21:21.651-0500 I COMMAND [conn79] dropDatabase admin finished
2018-09-10_11:21:23.43423 2018-09-10T06:21:23.434-0500 I COMMAND [conn80] dropDatabase graylog starting
2018-09-10_11:21:23.48414 2018-09-10T06:21:23.483-0500 I COMMAND [conn80] dropDatabase graylog finished
But the odd part is, no one would have had access to this server to do this, so uh…what happened? Assuming there isn’t a way to restore (as I dont think I saved a restore point)
This is odd. I don’t think that Graylog would have a function to drop its entire database. At least it doesn’t make sense to me that that would be implemented. Somebody from the dev team @Graylog_staff could clarify this.
I cannot really find information about seeing who triggered a MongoDB command, so I won’t be able to help you find out who deleted the database…
And no, sadly there is no way to restore the configuration without a database snapshot/backup I’m afraid…
I guess that somone from the outside has just connected to the MongoDB and then deleted everything on it.
2018-09-10T06:21:23.434-0500 I COMMAND [conn80] dropDatabase graylog starting
That is exactly the time this happens.
Not sure how this happend, but as MongoDB at the AWS AMI is listening not on localhost this can happen. The AMI is just a test/showcase and not hardened for production use cases.
Thank you so much. Only question I have revolves around -a and -g.
-u, --username USERNAME MongoDB username
-p, --password PASSWORD MongoDB password
-a, --admin User is the DB admin
-g, --graylog User should be used for Graylog server
I’d obviously want this user to be admin, but what exactly does -g do? Assuming I just want to lock down mongo set-mongodb-password -a -u user -p pass should be good enough, or will graylog not be able to access mongo then?
You have the option that you create one Admin user (-a) that can be used to work with MongoDB and the other option the create a user for Graylog and write that user/password into the Graylog configuration (-g).