linux/system-logs Dashboards

Widget	Description	Type
Event Results	Hide Query Show Query logscale `log_source = "audit" \| timeChart(audit.msg.res)`	`Time Chart`
Top 5 Users (Events)	Hide Query Show Query logscale `log_source = "audit" \| top(["audit.msg.acct"], limit=5, as=Events) \| rename("audit.msg.acct",as="Users")`	`Table`
Event Types Descriptions	Hide Query Show Query logscale `log_source = "audit" \| match(file="linux/system-logs/message-dictionary.csv", field=audit_type, column="MACRO NAME", include=[DESCRIPTION]) \| groupBy(["audit_type",DESCRIPTION]) \| rename("audit_type",as="Event Types") \| sort("Event Types") \| drop(["_count"])`	`Table`
Top 10 Exec Commands	Hide Query Show Query logscale `log_source = "audit" \| top(["audit.msg.exe"], as=Count, limit=10) \| rename("audit.msg.exe",as="Command")`	`Table`
Event Types Breakdown	Hide Query Show Query logscale `log_source = "audit" \| top(["audit_type"])`	`Pie Chart`
Number of Events (by host)	Hide Query Show Query logscale `log_source = "audit" \| timeChart(series=@collect.host, limit=10)`	`Time Chart`

Widget	Description	Type
Number of Linux Hosts	Hide Query Show Query logscale `count(@collect.host, distinct=True)`	`Gauge`
Number of System Events	Hide Query Show Query logscale `log_source =~ in(values=["system", "auth"]) \| count()`	`Gauge`
Number of Auditd Events	Hide Query Show Query logscale `log_source = "audit" \| count()`	`Gauge`
Number of User Modifications	Hide Query Show Query logscale `audit_type = "USER_MGMT" \| count()`	`Gauge`
Latest User Modifications	Hide Query Show Query logscale `audit_type = "USER_MGMT" \| rename("audit.msg.exe",as="Usermod Command") \| table(["@timestamp", "@collect.host", "Usermod Command", "audit.msg.res"])`	`Table`
Events by Host	Hide Query Show Query logscale `timeChart(series=@collect.host)`	`Time Chart`

Widget	Description	Type
[ssh] Suspicious Activity	Hide Query Show Query logscale `log_source =~ in(values=["system", "auth"]) \| app = "sshd" \| msg = /user unknown/i OR msg = /invalid user/i \| table(["@timestamp", "@collect.host", "pid", "msg"])`	`Table`
[ssh] Failed Source IPs	Hide Query Show Query logscale `log_source =~ in(values=["system", "auth"]) \| app = "sshd" \| /Failed password for (?<user>.) from (?<ip>.) port/ \| groupBy("ip", limit=10)`	`Bar Chart`
[ssh] Events by Host	Hide Query Show Query logscale `log_source =~ in(values=["system", "auth"]) \| app = "sshd" \| timeChart(series=@collect.host, limit=10)`	`Time Chart`
[ssh] Failed Login Attempts	Hide Query Show Query logscale `log_source =~ in(values=["system", "auth"]) \| app = "sshd" \| msg = /Failed password/ \| count()`	`Gauge`

Widget	Description	Type
[sudo] Top Commands	Hide Query Show Query logscale `log_source = "auth" \| app = "sudo" \| kvParse(msg) \| "TTY=" \| top(["COMMAND"])`	`Pie Chart`
[sudo] Latest Events	Hide Query Show Query logscale `log_source = "auth" \| app = "sudo" \| kvParse(msg) \| "TTY=" \| select(["@timestamp", "@collect.host", "pid", "TTY", "PWD", "USER", "COMMAND"])`	`Table`
[sudo] Number of Events	Hide Query Show Query logscale `log_source = "auth" \| app = "sudo" \| count()`	`Gauge`
[sudo] Opened Sessions	This describes recent instances of sudo being executed. Hide Query Show Query logscale `log_source = "auth" \| app = "sudo" \| msg = /session (?<status>.) for user (?<become_user>.) (by (?<user>.*))/ \| status = "opened" \| table(["@timestamp", "@collect.host", "user", "become_user", "msg"], limit=100)`	`Table`
[sudo] Events by Host	Hide Query Show Query logscale `log_source = "auth" \| app = "sudo" \| msg = /session (?<status>.) for user (?<become_user>.) (by (?<user>.))/ \| status = \| timeChart("@collect.host")`	`Time Chart`