linux/system-logs Dashboards

Widget	Description	Type
Event Results	Displays a chart of audited event results. Hide Query Show Query logscale `log_source = "audit" \| timeChart(audit.msg.res)`	`Time Chart`
Top 5 Users (Events)	Displays a table of the top 5 system users and events using audited event data. Hide Query Show Query logscale `log_source = "audit" \| top(["audit.msg.acct"], limit=5, as=Events) \| rename("audit.msg.acct",as="Users")`	`Table`
Event Types Descriptions	Displays a table of event type descriptions using audit data. Hide Query Show Query logscale `log_source = "audit" \| match(file="linux/system-logs/message-dictionary.csv", field=audit_type, column="MACRO NAME", include=[DESCRIPTION]) \| groupBy(["audit_type",DESCRIPTION]) \| rename("audit_type",as="Event Types") \| sort("Event Types") \| drop(["_count"])`	`Table`
Top 10 Exec Commands	Displays a list of the top ten audited executive commands. Hide Query Show Query logscale `log_source = "audit" \| top(["audit.msg.exe"], as=Count, limit=10) \| rename("audit.msg.exe",as="Command")`	`Table`
Event Types Breakdown	Provides a pie chart of event types using audit data. Hide Query Show Query logscale `log_source = "audit" \| top(["audit_type"])`	`Pie Chart`
Number of Events (by host)	Displays a chart of the number of events by host and limits results to the first 10 entries. Hide Query Show Query logscale `log_source = "audit" \| timeChart(series=@collect.host, limit=10)`	`Time Chart`

Widget	Description	Type
Number of Linux Hosts	Displays the total number of Linux hosts. Hide Query Show Query logscale `count(@collect.host, distinct=True)`	`Gauge`
Number of System Events	Displays the number of system events. Hide Query Show Query logscale `log_source =~ in(values=["system", "auth"]) \| count()`	`Gauge`
Number of Auditd Events	Displays the number of audited events for a given user. Hide Query Show Query logscale `log_source = "audit" \| count()`	`Gauge`
Number of User Modifications	Displays the number of user modifications from audit data. Hide Query Show Query logscale `audit_type = "USER_MGMT" \| count()`	`Gauge`
Latest User Modifications	Displays a table of a user's latest modifications using audit data. Hide Query Show Query logscale `audit_type = "USER_MGMT" \| rename("audit.msg.exe",as="Usermod Command") \| table(["@timestamp", "@collect.host", "Usermod Command", "audit.msg.res"])`	`Table`
Events by Host	Displays a chart of events by host. Hide Query Show Query logscale `timeChart(series=@collect.host)`	`Time Chart`

Widget	Description	Type
[ssh] Suspicious Activity	Displays a table of suspicious SSH login activity like unknown or invalid users. Hide Query Show Query logscale `log_source =~ in(values=["system", "auth"]) \| app = "sshd" \| msg = /user unknown/i OR msg = /invalid user/i \| table(["@timestamp", "@collect.host", "pid", "msg"])`	`Table`
[ssh] Failed Source IPs	Displays a list of failed SSH source IPs that have failed by user and limits results to the first 10 entries. Hide Query Show Query logscale `log_source =~ in(values=["system", "auth"]) \| app = "sshd" \| /Failed password for (?<user>.) from (?<ip>.) port/ \| groupBy("ip", limit=10)`	`Bar Chart`
[ssh] Events by Host	Displays a chart of the top 10 SSH events by host. Hide Query Show Query logscale `log_source =~ in(values=["system", "auth"]) \| app = "sshd" \| timeChart(series=@collect.host, limit=10)`	`Time Chart`
[ssh] Failed Login Attempts	Displays a list of failed SSH login attempts. Hide Query Show Query logscale `log_source =~ in(values=["system", "auth"]) \| app = "sshd" \| msg = /Failed password/ \| count()`	`Gauge`

Widget	Description	Type
[sudo] Top Commands	Displays a chart of the top Sudo commands used. Hide Query Show Query logscale `log_source = "auth" \| app = "sudo" \| kvParse(msg) \| "TTY=" \| top(["COMMAND"])`	`Pie Chart`
[sudo] Latest Events	Displays a table of the latest sudo events and associated data (timestamp, host, PID, etc.) Hide Query Show Query logscale `log_source = "auth" \| app = "sudo" \| kvParse(msg) \| "TTY=" \| select(["@timestamp", "@collect.host", "pid", "TTY", "PWD", "USER", "COMMAND"])`	`Table`
[sudo] Number of Events	Displays the number of sudo events Hide Query Show Query logscale `log_source = "auth" \| app = "sudo" \| count()`	`Gauge`
[sudo] Opened Sessions	This describes recent instances of sudo being executed. Hide Query Show Query logscale `log_source = "auth" \| app = "sudo" \| msg = /session (?<status>.) for user (?<become_user>.) (by (?<user>.*))/ \| status = "opened" \| table(["@timestamp", "@collect.host", "user", "become_user", "msg"], limit=100)`	`Table`
[sudo] Events by Host	Displays a chart of sudo events by host over time. Hide Query Show Query logscale `log_source = "auth" \| app = "sudo" \| msg = /session (?<status>.) for user (?<become_user>.) (by (?<user>.))/ \| status = \| timeChart("@collect.host")`	`Time Chart`