mongostat

macOS Sierra and Go 1.6 Incompatibility

Users running on macOS Sierra require the 3.2.10 or newer version of mongostat.

Synopsis

The mongostat utility provides a quick overview of the status of a currently running mongod or mongos instance. mongostat is functionally similar to the UNIX/Linux file system utility vmstat, but provides data regarding mongod and mongos instances.

Run mongostat from the system command line, not the mongo shell.

Required Access

In order to connect to a mongod that enforces authorization with the --auth option, specify the --username and --password options, and the connecting user must have the serverStatus privilege action on the cluster resources.

The built-in role clusterMonitor provides this privilege as well as other privileges. To create a role with just the privilege to run mongostat, see Create a Role to Run mongostat.

Options

mongostat
--help

Returns information on the options and use of mongostat.

--verbose , -v

Increases the amount of internal reporting returned on standard output or in log files. Increase the verbosity with the -v form by including the option multiple times, (e.g. -vvvvv.)

--version

Returns the mongostat release number.

--uri <connectionString>

New in version 3.4.6.

Specify a resolvable URI connection string to connect to the MongoDB deployment.

--uri "mongodb://[username:[email protected]]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"

For more information on the components of the connection string, see the Connection String URI Format documentation.

Important

The following command-line options cannot be used in conjunction with --uri option:

Instead, specify these options as part of your --uri connection string.

--host <hostname><:port> , -h <hostname><:port>

Default: localhost:27017

Specifies a resolvable hostname for the mongod to which to connect. By default, the mongostat attempts to connect to a MongoDB instance running on the localhost on port number 27017.

To connect to a replica set, you can specify the set member or members to report on, as in the following (see also the --discover flag):

--host <hostname1><:port>,<hostname2><:port>,<...>

Changed in version 3.0.0: If you use IPv6 and use the <address>:<port> format, you must enclose the portion of an address and port combination in brackets (e.g. [<address>]).

Note

You cannot specify both --host and --uri.

--port <port>

Default: 27017

Specifies the TCP port on which the MongoDB instance listens for client connections.

Note

You cannot specify both --port and --uri.

--ipv6

Removed in version 3.0.

Enables IPv6 support and allows mongostat to connect to the MongoDB instance using an IPv6 network. Prior to MongoDB 3.0, you had to specify --ipv6 to use IPv6. In MongoDB 3.0 and later, IPv6 is always enabled.

--ssl

New in version 2.6.

Enables connection to a mongod or mongos that has TLS/SSL support enabled.

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .

--sslCAFile <filename>

New in version 2.6.

Specifies the .pem file that contains the root certificate chain from the Certificate Authority. Specify the file name of the .pem file using relative or absolute paths.

Starting in version 3.4, if --sslCAFile or ssl.CAFile is not specified and you are not using x.509 authentication, the system-wide CA certificate store will be used when connecting to an TLS/SSL-enabled server.

If using x.509 authentication, --sslCAFile or ssl.CAFile must be specified.

Warning

Version 3.2 and earlier: For TLS/SSL connections (--ssl) to mongod and mongos, if the mongostat runs without the --sslCAFile, mongostat will not attempt to validate the server certificates. This creates a vulnerability to expired mongod and mongos certificates as well as to foreign processes posing as valid mongod or mongos instances. Ensure that you always specify the CA file to validate the server certificates in cases where intrusion is a possibility.

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .

--sslPEMKeyFile <filename>

New in version 2.6.

Specifies the .pem file that contains both the TLS/SSL certificate and key. Specify the file name of the .pem file using relative or absolute paths.

This option is required when using the --ssl option to connect to a mongod or mongos that has CAFile enabled without allowConnectionsWithoutCertificates.

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .

--sslPEMKeyPassword <value>

New in version 2.6.

Specifies the password to de-crypt the certificate-key file (i.e. --sslPEMKeyFile). Use the --sslPEMKeyPassword option only if the certificate-key file is encrypted. In all cases, the mongostat will redact the password from all logging and reporting output.

If the private key in the PEM file is encrypted and you do not specify the --sslPEMKeyPassword option, the mongostat will prompt for a passphrase. See TLS/SSL Certificate Passphrase.

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .

--sslCRLFile <filename>

New in version 2.6.

Specifies the .pem file that contains the Certificate Revocation List. Specify the file name of the .pem file using relative or absolute paths.

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .

--sslAllowInvalidCertificates

New in version 2.6.

Bypasses the validation checks for server certificates and allows the use of invalid certificates. When using the allowInvalidCertificates setting, MongoDB logs as a warning the use of the invalid certificate.

Starting in MongoDB 3.6.6, if you specify --sslAllowInvalidCertificates or ssl.allowInvalidCertificates: true when using x.509 authentication, an invalid certificate is only sufficient to establish a TLS/SSL connection but is insufficient for authentication.

Warning

For TLS/SSL connections to mongod and mongos, avoid using --sslAllowInvalidCertificates if possible and only use --sslAllowInvalidCertificates on systems where intrusion is not possible.

If the mongo shell (and other MongoDB Tools) runs with the --sslAllowInvalidCertificates option, the mongo shell (and other MongoDB Tools) will not attempt to validate the server certificates. This creates a vulnerability to expired mongod and mongos certificates as well as to foreign processes posing as valid mongod or mongos instances.

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .

--sslAllowInvalidHostnames

New in version 3.0.

Disables the validation of the hostnames in TLS/SSL certificates. Allows mongostat to connect to MongoDB instances even if the hostname in their certificates do not match the specified hostname.

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .