Falcon LogScale Documentation

A dashboard is a collection of saved searches, queries to make it easier to check servers for events or occurrences that are of interest. These will be configured to display a graph to more easily scan or monitor servers. This is the last page of a four-part tutorial: go to the first page if you haven't yet read the previous pages.

On the previous page, you created two widgets from the search queries you entered, which are in the dashboard you created. You should be viewing that dashboard in LogScale Cloud now. Let's see what you can do in a dashboard.

Let's reposition and resize the widgets. Click on the Edit button at the top right. Then drag the two widgets into different positions. Resize them with your mouse. It's a little delicate to get your mouse in the right position to widen a widget, but don't get discouraged.

In the right margin, you'll see that you can change the name of the dashboard and the description. On each widget it also says Edit. If you click on one, the right margin will show the properties for the widget. This will allow you to change the titles and descriptions for them. For Time Chart widget, you can change how the graph is displayed.

If you want to change a query behind a widget, after clicking the main Edit button, you'll see a few more buttons appear to the left of it. Click on Show Queries to reveal the queries for each widget. You can modify them here, if you want. Or you can copy one of the queries and return to the Search page to test any changes before changing a widget.

The two widgets we have so far are generated by queries of that involve data from the vector log shipper. Let's add a widget that will use data that rsyslog is sending LogScale. Before doing this, let's generate some security events we might want to monitor. Open a terminal window on your computer and try to log into your server with a user name that doesn't exist on your server. Enter something like the first line below, but with your domain name or IP address:

ssh bob@example.com
bob@example.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Figure 439. Invalid User

The second line here is what's returned since this server requires an encryption key. Try to log in with at least two other fake user names, just so we'll have a few entries in the LogScale repository.

When you've done that, go back to LogScale Cloud in your web browser and click on Search. Then enter bob, or whatever fake user name you entered, in the search field to find the entry for that failed attempt to log in. Click on the entry it shows to see more information at the bottom, similar to the screenshot in Figure 7.

Near the top of the list of field names and their values, notice the field just after the repository name. It shows the type with a value of syslog. That's coming from rsyslog on your server.

Much further down the list of fields there's a message field with a value that says, Invalid user bob... — or something similar. Let's use that text to search for all attempts to log in with an invalid user, just the Invalid user part without the user name.

The text below is a pretty complicated query. It's using regex to parse the details of the full message. If you compare this regex expression to the results when we searched only on the user name, you'll see how it's parsing the message text to return just the source IP address and port, and the user name. Don't get too caught up trying to decipher the regex expression, though. For now, copy and paste the query into your search field and run it:

/Invalid user (?<user>\w+) from (?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port (?<src_port>\d+)/
| table([src_ip, src_port, user])

The results should show a table listing all of the times you tried to log in with a fake name. Normally, though, if you see many attempts from the same IP address, you might want to block that port: it might be a hacker. If you recognize the name as being similar to an actual user (e.g., Bob's user name is actually rob), you might want to talk to that user to solve the problem.

Let's save this query to a widget to put in the dashboard. Click on the Save As button and choose Dashboard Widget. Give it a title like, Invalid User Login Attempts and maybe a description. Then save it and go to the dashboard to see how it looks. From the dashboard, click the Edit button again and move all of the widgets around and resize them to accommodate the new widget.

Figure 440. Dashboard

While still in Edit mode, click on the Add Note button. This will create a simple widget in which you may add text describing the dashboard or some other information related to the other widgets. It could be a note for yourself, or it could instruct other admins. as to what to do when they see something abnormal in the widgets. The note widget accepts basic markdown formatting and you can include links to other web pages. With all of this in mind, write something in that note widget and save it. After that, you may want to rearrange and resize the widgets, again.

While you're playing with the dashboard, notice there's a button at the top that probably reads, Last 24H (Live). This means that the data for all of the widgets is for entries in the repository for the past twenty-four hours. The Live part means that the results in the widgets will change as events happen. Test that by either attempting again to open a web page that doesn't exist on your server, or logging in with another invalid user name. You should see the results change in at least one of the widgets.

Try also changing the time frame from twenty-four hours to the past thirty-days, live. This will give you more interesting results in your widgets. Your dashboard will look something like the screenshot in Figure 8 here.