linux/system-logs Dashboards

Linux - Auditd

The Linux Auditd dashboard provides comprehensive system audit analysis through event-focused visualizations. This dashboard enables monitoring of system event patterns, tracking of user activities, and analysis of executed commands across the Linux environment.
Linux - General

The Linux General dashboard presents system-wide operational metrics through integrated monitoring visualizations. This dashboard enables tracking of system events, monitoring of host activities, and assessment of user modifications across Linux systems.
Linux - SSH

The Linux SSH dashboard provides detailed SSH security monitoring through access-focused visualizations. This dashboard enables detection of suspicious login activities, tracking of failed authentication attempts, and analysis of SSH events across hosts.
Linux - Sudo

The Linux Sudo dashboard presents privileged command execution analysis through detailed activity visualizations. This dashboard enables monitoring of sudo command usage, tracking of privileged sessions, and assessment of administrative activities across Linux systems.

Linux - Auditd

The Linux Auditd dashboard provides comprehensive system audit analysis through event-focused visualizations. This dashboard enables monitoring of system event patterns, tracking of user activities, and analysis of executed commands across the Linux environment.

Widget	Description	Type
Event Results	Displays a chart of audited event results. Hide Query Show Query logscale `log_source = "audit" \| timeChart(audit.msg.res)`	`Time Chart`
Top 5 Users (Events)	Displays a table of the top 5 system users and events using audited event data. Hide Query Show Query logscale `log_source = "audit" \| top(["audit.msg.acct"], limit=5, as=Events) \| rename("audit.msg.acct",as="Users")`	`Table`
Event Types Descriptions	Displays a table of event type descriptions using audit data. Hide Query Show Query logscale `log_source = "audit" \| match(file="linux/system-logs/message-dictionary.csv", field=audit_type, column="MACRO NAME", include=[DESCRIPTION]) \| groupBy(["audit_type",DESCRIPTION]) \| rename("audit_type",as="Event Types") \| sort("Event Types") \| drop(["_count"])`	`Table`
Top 10 Exec Commands	Displays a list of the top ten audited executive commands. Hide Query Show Query logscale `log_source = "audit" \| top(["audit.msg.exe"], as=Count, limit=10) \| rename("audit.msg.exe",as="Command")`	`Table`
Event Types Breakdown	Provides a pie chart of event types using audit data. Hide Query Show Query logscale `log_source = "audit" \| top(["audit_type"])`	`Pie Chart`
Number of Events (by host)	Displays a chart of the number of events by host and limits results to the first 10 entries. Hide Query Show Query logscale `log_source = "audit" \| timeChart(series=@collect.host, limit=10)`	`Time Chart`

Linux - General

The Linux General dashboard presents system-wide operational metrics through integrated monitoring visualizations. This dashboard enables tracking of system events, monitoring of host activities, and assessment of user modifications across Linux systems.

Widget	Description	Type
Number of Linux Hosts	Displays the total number of Linux hosts. Hide Query Show Query logscale `count(@collect.host, distinct=True)`	`Gauge`
Number of System Events	Displays the number of system events. Hide Query Show Query logscale `log_source =~ in(values=["system", "auth"]) \| count()`	`Gauge`
Number of Auditd Events	Displays the number of audited events for a given user. Hide Query Show Query logscale `log_source = "audit" \| count()`	`Gauge`
Number of User Modifications	Displays the number of user modifications from audit data. Hide Query Show Query logscale `audit_type = "USER_MGMT" \| count()`	`Gauge`
Latest User Modifications	Displays a table of a user's latest modifications using audit data. Hide Query Show Query logscale `audit_type = "USER_MGMT" \| rename("audit.msg.exe",as="Usermod Command") \| table(["@timestamp", "@collect.host", "Usermod Command", "audit.msg.res"])`	`Table`
Events by Host	Displays a chart of events by host. Hide Query Show Query logscale `timeChart(series=@collect.host)`	`Time Chart`

Linux - SSH

The Linux SSH dashboard provides detailed SSH security monitoring through access-focused visualizations. This dashboard enables detection of suspicious login activities, tracking of failed authentication attempts, and analysis of SSH events across hosts.

Widget	Description	Type
[ssh] Suspicious Activity	Displays a table of suspicious SSH login activity like unknown or invalid users. Hide Query Show Query logscale `log_source =~ in(values=["system", "auth"]) \| app = "sshd" \| msg = /user unknown/i OR msg = /invalid user/i \| table(["@timestamp", "@collect.host", "pid", "msg"])`	`Table`
[ssh] Failed Source IPs	Displays a list of failed SSH source IPs that have failed by user and limits results to the first 10 entries. Hide Query Show Query logscale `log_source =~ in(values=["system", "auth"]) \| app = "sshd" \| /Failed password for (?<user>.) from (?<ip>.) port/ \| groupBy("ip", limit=10)`	`Bar Chart`
[ssh] Events by Host	Displays a chart of the top 10 SSH events by host. Hide Query Show Query logscale `log_source =~ in(values=["system", "auth"]) \| app = "sshd" \| timeChart(series=@collect.host, limit=10)`	`Time Chart`
[ssh] Failed Login Attempts	Displays a list of failed SSH login attempts. Hide Query Show Query logscale `log_source =~ in(values=["system", "auth"]) \| app = "sshd" \| msg = /Failed password/ \| count()`	`Gauge`

Linux - Sudo

The Linux Sudo dashboard presents privileged command execution analysis through detailed activity visualizations. This dashboard enables monitoring of sudo command usage, tracking of privileged sessions, and assessment of administrative activities across Linux systems.

Widget	Description	Type
[sudo] Top Commands	Displays a chart of the top Sudo commands used. Hide Query Show Query logscale `log_source = "auth" \| app = "sudo" \| kvParse(msg) \| "TTY=" \| top(["COMMAND"])`	`Pie Chart`
[sudo] Latest Events	Displays a table of the latest sudo events and associated data (timestamp, host, PID, etc.) Hide Query Show Query logscale `log_source = "auth" \| app = "sudo" \| kvParse(msg) \| "TTY=" \| select(["@timestamp", "@collect.host", "pid", "TTY", "PWD", "USER", "COMMAND"])`	`Table`
[sudo] Number of Events	Displays the number of sudo events Hide Query Show Query logscale `log_source = "auth" \| app = "sudo" \| count()`	`Gauge`
[sudo] Opened Sessions	This describes recent instances of sudo being executed. Hide Query Show Query logscale `log_source = "auth" \| app = "sudo" \| msg = /session (?<status>.) for user (?<become_user>.) (by (?<user>.*))/ \| status = "opened" \| table(["@timestamp", "@collect.host", "user", "become_user", "msg"], limit=100)`	`Table`
[sudo] Events by Host	Displays a chart of sudo events by host over time. Hide Query Show Query logscale `log_source = "auth" \| app = "sudo" \| msg = /session (?<status>.) for user (?<become_user>.) (by (?<user>.))/ \| status = \| timeChart("@collect.host")`	`Time Chart`

Versions of this Page

Package Marketplace

Package Reference

Dashboard Reference

Package Management

Other Integrations

Log Formats

linux/system-logs Dashboards

Linux - Auditd

Linux - General

Linux - SSH

Linux - Sudo

Enter search term