Using Dashboards

Security Requirements and Controls

When using an existing dashboard within your LogScale instance, you can choose to navigate around the dashboard view, change, share and alter the dashboard, and configure the dashboard access.

Main Operations

The following operations can be performed with each dashboard:

  • Wall Monitors & Shared URLs — allows to share read-only dashboards. See Sharing Dashboards section below for more details.

  • Duplicate — creates an identical dashboard. You are prompted to provide:

    • Dashboard Name is the name you assign to the copied dashboard.

    • Target Repository or View is the repository or view where you want to store your copied dashboard.

  • Rename — allows you to change the name of the existing dashboard.

  • Export as template — allows you to create a template from the current dashboard, which you may reuse for new empty dashboards, as explained in Creating a New Dashboard.

  • Delete — deletes the dashboard and all associated widgets. Removal of a dashboard cannot be undone. To create a backup of the dashboard, consider using the Export as template option to keep a copy of the dashboard and its configuration.

You can access the menu by selecting a dashboard and clicking the three-dot menu on the upper right corner:

Dashboard Options

Figure 94. Dashboard Options


The same menu options are also available:

  • From the All Dashboards tab in the main UI page, by clicking the cog icon under each repository name.

  • From within a given repository, by clicking the three-dot menu next to each dashboard, as seen in Figure 90, “Dashboards Tab”.

Sharing Dashboards

Dashboards can be shared using a unique URL. Dashboards shared in this way are read only and can be used to share the dashboard with others, or when using the dashboard as part of a wall monitor. A shared dashboard does not need to authenticate and does not rely on sessions as users do, so sharing should be done with care as everyone with the link will be able to see the dashboard (if an IP filter is set, users need to be within the IP range).

To share dashboards in this way:

  1. Access the dropdown menu in the Query Editor.

  2. A dialog box will open — enter a name in the Link Name field.

  3. Queries run by the dashboard can either be executed on behalf of the organization or on behalf of the user who created the shared dashboard. For more information, see Organization Owned Queries.

  4. If the Dashboard Security Policies has not enforced an organization-wide IP filter, an optional IP filter can be selected. If the security policy enforces an IP filter, you will see the IP filter next to the Active dashboard URL. See IP Filters.

Disabling Access to Shared Dashboards

Because shared dashboards are accessible to anyone who has a link to them, there is a risk of unwanted information disclosure; therefore, in some cases you might want to prevent certain users from accessing these dashboards. You can do this in two ways:

  • Set the variable SHARED_DASHBOARDS_ENABLED configured to false to keep dashboards sharing disabled across the entire cluster. This configuration disables the + Create new link button.

  • Disable dashboard sharing via the UI — see Dashboard Security Policies for details.

When trying to access a shared dashboard that has been disabled afterward, two possible cases apply:

  • Users opened a shared dashboard before it became unavailable, meaning the dashboard is running — they are presented with an error and the dashboard changes status to reflect this. Furthermore, if access to that dashboard is re-enabled, it will come back for these users, without any manual intervention needed.

  • Users attempt to open a link to a shared dashboard after it became unavailable — they do not get any error message and it will look like it isn't a real dashboard. If the dashboard is re-enabled, these users will need to manually refresh the page to see the dashboard.

Restricting Access with IP Filters

Once you have created read-only dashboards with the option Wall Monitors & Shared URLs, you can restrict their access to certain IP addresses only.

One way to do it is setting the IP filters with the GraphQL interface.

  1. From the User Interface, click on the circled question mark near the top right and select API Explorer:

    API Explorer Selected

    Figure 95. API Explorer Selected


  2. In the panel that pops up, enter a mutation like so:

    graphql
    mutation {
  updateReadonlyDashboardIPFilter(ipFilter: "allow 5.94.131.141; deny all")
}

    In this example, only one IP address is allowed access and all others are denied access to any read-only dashboards.

  3. Click the right arrow-head button to execute it. The results will appear in the panel to the right:

IP Filtering Read-Only Dashboards

Figure 96. IP Filtering Read-Only Dashboards


To change an IP filter, execute the mutation again with the corrected or added values. This will replace the previous IP filters. Or, you can add multiple IP filters by separating them with a semi-colon.

Alternatively, you can set IP filters for read-only dashboards from the User Interface instead of having to use the GraphQL:

Setting IP Filters through User Interface

Figure 97. Setting IP Filters through User Interface