Mongodb URI with replicaSet


(Dietmar Schurr) #1

Hello,

I try to set up Graylog, MongoDB and ES. MongodDB and ES is up and running.

In the GL server.conf I have:

mongodb_uri = mongodb://admin:glp@node1:27017/?replicaSet=rs_graylog,node2:27017/?replicaSet=rs_graylog,node3:27017/?replicaSet=rs_graylog

But this gives me this error on GL startup:

2017-11-03T15:13:11.831+01:00 ERROR [CmdLineTool] **Invalid configuration**
com.github.joschi.jadconfig.ValidationException: Couldn't run validator method
        at com.github.joschi.jadconfig.JadConfig.invokeValidatorMethods(JadConfig.java:227) ~[graylog.jar:?]
        at com.github.joschi.jadconfig.JadConfig.process(JadConfig.java:100) ~[graylog.jar:?]
        at org.graylog2.bootstrap.CmdLineTool.processConfiguration(CmdLineTool.java:351) [graylog.jar:?]
        at org.graylog2.bootstrap.CmdLineTool.readConfiguration(CmdLineTool.java:344) [graylog.jar:?]
        at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:177) [graylog.jar:?]
        at org.graylog2.bootstrap.Main.main(Main.java:44) [graylog.jar:?]
Caused by: java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_121]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_121]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_121]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_121]
        at com.github.joschi.jadconfig.ReflectionUtils.invokeMethodsWithAnnotation(ReflectionUtils.java:53) ~[graylog.jar:?]
        at com.github.joschi.jadconfig.JadConfig.invokeValidatorMethods(JadConfig.java:221) ~[graylog.jar:?]
        ... 5 more
Caused by: java.lang.IllegalArgumentException: **The connection string contains an invalid host 'lsvgk0703:27017/?replicaSet=rs_graylog'. The port '27017/?replicaSet=rs_graylog' is not a valid, it must be an integer between 0 and 65535**

How should this parameter look like? How to define a certain ReplicaSet? Or takes GL just the one and only ReplicaSet available?

Thanks in advance,

Regards,

Dietmar


(Pierre-Yves Taczynski) #2

Here is mine (without auth), db is graylog (default), replica set is also named graylog.
mongodb://mongo:27017,mongo2:27017/graylog?replicaSet=graylog

So I guess yours should be:
mongodb://admin:glp@node1:27017,node2:27017,node3:27017/graylog?replicaSet=rs_graylog

Take a look at:
http://docs.graylog.org/en/2.3/pages/configuration/multinode_setup.html

and
https://docs.mongodb.com/manual/reference/connection-string/


(Jan Doberstein) #3

Hej @schurd

you should check the default server.conf:

for that setting


(Dietmar Schurr) #4

Hello Jan, hello Pierre,

thanks a lot, now it works.
In addition, I had to add a mongodb user with db.user() with the roles dbAdmin and readWrite.

Regards,

Dietmar Schurr


(Dietmar Schurr) #5

Hello,

now I ran in the next problem.
Obviously the access rights of teh MongoDB user graylog are not sufficient.
In the mongodb log file I get:

2017-11-06T14:50:16.515+0100 I REPL [ReplicationExecutor] Error in heartbeat request to node1:27017; Unauthorized: not authorized on admin to execute command { replSetHeartbeat: “rs_graylog”, configVersion: 3, from: “node2:27017”, fromId: 1, term: 3 }

And if I try rs.status with the mongo client I get:

    node1:~ # mongo -u graylog -p passwort graylog
    MongoDB shell version v3.4.9
    connecting to: mongodb://127.0.0.1:27017/graylog
    MongoDB server version: 3.4.9
    rs_graylog:OTHER> rs.status()
    {
    	"ok" : 0,
    	"errmsg" : "not authorized on admin to execute command { replSetGetStatus: 1.0 }",
    	"code" : 13,
    	"codeName" : "Unauthorized"
    }
    rs_graylog:OTHER> exit

There is a admin db and a graylog db. Does the graylog user need access to the admin db?
What access rights should be granted?

Thanks in advance!

Dietmar Schurr


(Jan Doberstein) #6

Hej @schurd

as written here the user need the roles readWrite and dbAdmin to work.

with kind regards
Jan


(Dietmar Schurr) #7

Hello,

hmm, but that’s what I did:

rs_graylog:PRIMARY> db.createUser( {
... user: "graylog", pwd: "pwd",
... roles: [ { role: "readWrite", db: "graylog" }, { role: "dbAdmin", db: "graylog" } ] } )
Successfully added user: {
	"user" : "graylog",
	"roles" : [
		{
			"role" : "readWrite",
			"db" : "graylog"
		},
		{
			"role" : "dbAdmin",
			"db" : "graylog"
		}
	]
}
rs_graylog:PRIMARY>

And still, it get authentication errors. That’s why I asked for which databases those access rights should be granted.

I will try to set more access rights.

Thanks in advance.

Dietmar Schurr


(Jochen) #8

That’s because you only granted these permissions on the database named “graylog”, but not on “admin”.

not authorized on admin to execute command

Also see:

If you want to configure and read the MongoDB replica set with the user “graylog”, you need to grant sufficient permissions to it. Otherwise just use a dedicated admin user for MongoDB.


(Dietmar Schurr) #9

Hallo Jochen,

now it works!!
I created once more the user graylog for the admin DB with this command:

    rs_graylog:PRIMARY> db.createUser( {
    ... user: "graylog", pwd: "pwd",
    ... roles: [ { role: "readWrite", db: "admin" }, { role: "dbAdmin", db: "admin" } ] } )
    Successfully added user: {
    	"user" : "graylog",
    	"roles" : [
    		{	"role" : "readWrite",
    			"db" : "admin"
    		},		{
    			"role" : "dbAdmin",
    			"db" : "admin"
    		}	] }
    rs_graylog:PRIMARY>

Then I still had problems, but the MongoDB Logs gave me errors without Graylog being started!!
Aha, obviously the MongoDB Nodes had problems to authenticate themeselves inside the cluster.

This way I realized, that I should create a KeyFile on the MongoDB nodes to enable authentication within the MongoDB cluster nodes. With the documentation from the MongoDB website this was quickly done.
Now, the MongoDB cluster worked wihtout errors :slight_smile:
Then I enabled TLS/SSL with slef-signed certificates (as described in the MongoDB Dok).

After this Graylog was fine and running, no more authentication problems.

May be you could add in your documentation under “MongoDB replica set” a word about the KeyFile for MongoDB!

Thanks a lot for your help.

Regards,

Dietmar Schurr


(system) #10

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.