How to show the count of all NetWitness mongodb documents in all collections?

Issue

An administrator would like to understand how large the MongoDB databases are and how much space they consume on the Admin-Server, ESA, or Endpoint-Server. 

Resolution

1. Login to NetWitness appliance that is running the mongod service.
2. Confirm that the mongod service is running.
   systemctl status mongod
   
   For example:
   [root@NW ~]# systemctl status mongod
   ● mongod.service - MongoDB Database Server
   Loaded: loaded (/usr/lib/systemd/system/mongod.service; enabled; vendor preset: disabled)
   Drop-In: /etc/systemd/system/mongod.service.d
   └─mongod-start-managed.conf
   Active: active (running) since Mon 2021-06-07 03:32:30 UTC; 1 weeks 6 days ago
   Docs: https://docs.mongodb.org/manual
   Process: 1876 ExecStart=/usr/bin/numactl --interleave=all /usr/bin/mongod $OPTIONS run (code=exited, status=0/SUCCESS)
   Process: 1873 ExecStartPre=/usr/bin/chmod 0755 /var/run/mongodb (code=exited, status=0/SUCCESS)
   Process: 1868 ExecStartPre=/usr/bin/chown mongod:mongod /var/run/mongodb (code=exited, status=0/SUCCESS)
   Process: 1861 ExecStartPre=/usr/bin/mkdir -p /var/run/mongodb (code=exited, status=0/SUCCESS)
   Main PID: 3192 (mongod)
   CGroup: /system.slice/mongod.service
   └─3192 /usr/bin/mongod -f /etc/mongod.conf run
   
   Jun 07 03:32:19 NW5ESAPRIM systemd[1]: Starting MongoDB Database Server...
   Jun 07 03:32:27 NW5ESAPRIM numactl[1876]: about to fork child process, waiting until server is ready for connections.
   Jun 07 03:32:27 NW5ESAPRIM numactl[1876]: forked process: 3192
   Jun 07 03:32:30 NW5ESAPRIM numactl[1876]: child process started successfully, parent exiting
   Jun 07 03:32:30 NW5ESAPRIM systemd[1]: Started MongoDB Database Server.
3. Run the following mongo query to show a count of the documents for each collection in all database.
   Can copy all of the below lines down to and including the final EOF line and paste into a bash command line, then press enter.
   
   
   mongo admin -u deploy_admin -p netwitness --quiet <<EOF

show dbs

db = db.getSiblingDB('admin');
var dbs = db.adminCommand('listDatabases');

dbs.databases.forEach(function(database){
print("Database: " + database.name);
print("-----");
if (database.name == "config") { print("Skipped"); }
else {
db = db.getSiblingDB(database.name);
db.getCollectionNames().forEach(function(collection) {
print("Collection '" + collection + "' documents: " + db[collection].count());
});
};
print("");
});

exit
EOF
   
   
   1. For this portion: mongo admin -u deploy_admin -p netwitness --quiet < Substitute  netwitness with the correct deploy_admin password.

The output shows :

• The disk space size of all databases in the mongodb, 
• The "show dbs" output
• For each database, there is a count of the documents in each collection.

This information can be useful to determine the databases using the most disk space and the collections with the most entries.

Note: The config database is skipped as it is for internal use by the mongod service and this command has insufficient permission to access.

Product Details

Product Set:  NetWitness Logs & Network
Product/Service Type: Mongodb, Admin-Server, ESA, Endpoint-Server
RSA Version/Condition: 11.x, 12.x
Platform: CentOS, AlmaLinux

Summary

Which NetWitness mongodb database has the most documents?

Approval Reviewer Queue

Technical approval queue