How to find source (IP, user) of ACCESS error?

Running MongoDB 4.4 in Docker and see a lot of error messages in the container log:

  "t": {
    "$date": "2023-11-14T10:37:00.004+00:00"
  "s": "I",
  "c": "ACCESS",
  "id": 20436,
  "ctx": "conn4874",
  "msg": "Checking authorization failed",
  "attr": {
    "error": {
      "code": 13,
      "codeName": "Unauthorized",
      "errmsg": "not authorized on MY-COLLECTION to execute command { listCollections: 1, filter: {}, nameOnly: true, cursor: {}, lsid: { id: UUID(\"d799e465-60bd-4b07-8ba3-e9de\") }, $clusterTime: { clusterTime: Timestamp(1699958216, 6), signature: { hash: BinData(0, 3FB349434A0D6F63823A93F2CB0EC40B), keyId: 72467369909 } }, $db: \"MY-COLLECTION\", $readPreference: { mode: \"primary\" } }"

How can I find the IP and the user who is responsible for this?

Search on the ctx conn4874 this should track back to another ACCESS log which will contain the Authentication details such as the user.

If it is a persistent connection something like:
db.currentOp({desc:"conn4874","$all":true}) will return the connection details including the effectiveUsers field.

1 Like