How to find source (IP, user) of ACCESS error?

blue_puma · November 14, 2023, 10:41am

Running MongoDB 4.4 in Docker and see a lot of error messages in the container log:

2023-11-14T10:37:00.004148596Z 
{
  "t": {
    "$date": "2023-11-14T10:37:00.004+00:00"
  },
  "s": "I",
  "c": "ACCESS",
  "id": 20436,
  "ctx": "conn4874",
  "msg": "Checking authorization failed",
  "attr": {
    "error": {
      "code": 13,
      "codeName": "Unauthorized",
      "errmsg": "not authorized on MY-COLLECTION to execute command { listCollections: 1, filter: {}, nameOnly: true, cursor: {}, lsid: { id: UUID(\"d799e465-60bd-4b07-8ba3-e9de\") }, $clusterTime: { clusterTime: Timestamp(1699958216, 6), signature: { hash: BinData(0, 3FB349434A0D6F63823A93F2CB0EC40B), keyId: 72467369909 } }, $db: \"MY-COLLECTION\", $readPreference: { mode: \"primary\" } }"
    }
  }
}

How can I find the IP and the user who is responsible for this?

chris · November 14, 2023, 3:37pm

Search on the ctx conn4874 this should track back to another ACCESS log which will contain the Authentication details such as the user.

If it is a persistent connection something like:
db.currentOp({desc:"conn4874","$all":true}) will return the connection details including the effectiveUsers field.