Set up MongoDB Authentication for Graylog

I’ve been running MongoDB without authentication for some time, until recently, it had failed a Lynis security audit.

Thanks to Michael Boelen, a new test to detect MongoDB has been added to Lynis 2.4.2. This helped to track the problem down.

[+] Databases
------------------------------------
- MongoDB status                  [ FOUND ]
- Checking MongoDB authorization  [ DISABLED ]

Despite the fact that MongoDB was listening on a local interface only and had no public access, the issue had to be dealt with.

Software

Software used in this article:

  1. CentOS 7.3
  2. MongoDB 3.2
  3. Graylog 2.1

Enable MongoDB Authentication

Stop the services:

# systemctl stop graylog-server elasticsearch mongod

Start MongoDB without access control:

# mongod --port 27017 --dbpath /var/lib/mongo/

Connect to the instance:

# mongo --port 27017

List databases:

show databases;
graylog   0.078GB
local     0.000GB

Create the admin user. Make sure the role is set to “root”. I tried using “userAdminAnyDatabase”, and I had problems. The choice is yours.

use graylog;
db.createUser(
  {
    user: "mongo_admin",
    pwd: "passwd",
    roles: [ { role: "root", db: "admin" } ]
  }
)
exit

Having disconnect the mongo shell, restore folder permissions:

# chown -R mongod:mongod /var/lib/mongo/

Open the file /etc/mongod.conf for editing and add the following:

security:
  authorization: enabled

Start the MongoDB:

# systemctl start mongod

Connect and authenticate as the user mongo_admin:

# mongo --port 27017 -u "mongo_admin" -p  --authenticationDatabase "graylog"

Configure Graylog to Autheticate Agains MongoDB

Open the file /etc/graylog/server/server.conf for editing and add the following:

mongodb_uri = mongodb://mongo_admin:passwd@localhost:27017/graylog

Start Elasticsearch and Graylog:

# systemctl start elasticsearch graylog-server

Check Graylog logs for any issues.

References

https://docs.mongodb.com/v3.2/tutorial/enable-authentication/

6 thoughts on “Set up MongoDB Authentication for Graylog

  1. Hi, I’ve used the role “readWrite” to a graylog user at “graylog” DB and worked. But before I’ve created an admin user with role “userAdminAnyDatabase” as mongo documentations suggest.

    Nice step-by-step..

  2. Hey,

    Thanks for the great write up, this is exactly what I need to get my environment secured after a Nessus scan revealed mongodb was open.

    I’m attempting to perform these steps on the VM appliance provided by graylog, but the mongod.conf doesn’t seem to exist in this setup. Do you have any idea how I can get authorisation enabled, or confirm that it already is, in the OVA? I tried skipping that step but mongodb failed to start thereafter.

    Thanks!

    • Found the solution to use in my case. If you are using the OVA appliance, it’s possible to set the mongodb password using the graylog-ctl command.

      Thanks again!

Leave a Reply

Your email address will not be published. Required fields are marked *