Configure a Dashboard

A dashboard is a collection of widgets that use the saved searches that you have created. These will be configured to display a graph to more easily scan or monitor servers.

In the previous section, you created two widgets from the search queries you entered, which are in the dashboard you created. You should be viewing that dashboard in Falcon LogScale now. Let's see what you can do in a dashboard.

  • Reposition and resize the widgets. Click on the Edit button at the top right. Then drag the two widgets into different positions. Resize them with your mouse.

  • Change the name of the dashboard and the description.

  • Change the name of the widgets in the dashboard, their description and style. After clicking the menu icon on a widget, you'll see a few options appear. Click on Styling, this will allow you to change the titles and descriptions for them. For your Time Chart widget for example, you can change how the graph is displayed.

  • Change a query behind a widget. After clicking the menu icon, click Edit in Search view to reveal the queries for each widget. You can modify them here, if you want. Or you can copy one of the queries and return to the Search page to test any changes before changing a widget.

The two widgets we have so far are generated by queries that involve data from the Falcon Log Collector. Let's add a widget that will use data that rsyslog is sending Falcon LogScale. Before doing this, let's generate some security events we might want to monitor. Open a terminal window on your computer and try to log into your server with a user name that doesn't exist on your server. Enter something like the first line below, but with your domain name or IP address:

logscale
ssh bob@example.com
bob@example.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

The second line here is what's returned since this server requires an encryption key. Try to log in with at least two other fake user names, just so we'll have a few entries in the Falcon LogScale repository.

When you've done that, go back to Falcon LogScale Cloud in your web browser and click the Search tab. Then enter bob, or whatever fake user name you entered, to find the entry for that failed attempt to log in.

Near the top of the list of field names and their values, notice the field just after the repository name. It shows the type with a value of syslog. That's coming from rsyslog on your server.

Much further down the list of fields there's a message field with a value that says, Invalid user bob.... Let's use that text to search for all attempts to log in with an invalid user, just the Invalid user part without the user name.

The query below uses a regex to parse the details of the full message. If you compare this regex expression to the results when we searched only on the user name, you'll see how it's parsing the message text to return just the source IP address and port, and the user name.

Copy and paste the query into your search field and run it:

logscale
/Invalid user (?<user>\w+) from (?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port (?<src_port>\d+)/
| table([src_ip, src_port, user])

The results should show a table listing all of the times you tried to log in with a fake name. Normally, though, if you see many attempts from the same IP address, you might want to block that port: it might be a hacker. If you recognize the name as being similar to an actual user (e.g., Bob's user name is actually rob), you might want to talk to that user to solve the problem.

Let's save this query to a widget to put in the dashboard. Click on the Save button and choose Dashboard Widget. Provide a title, Invalid User Login Attempts. Then save it and go to the dashboard to see how it looks. From the dashboard, click the Edit button again and move all of the widgets around and resize them to accommodate the new widget.

While still in Editing dashboard mode, click on the Add Note button. This will create a simple widget in which you may add text describing the dashboard or some other information related to the other widgets. It could be a note for yourself, or it could instruct other admins. as to what to do when they see something abnormal in the widgets. The note widget accepts basic markdown formatting and you can include links to other web pages. With all of this in mind, write something in that note widget and save it. After that, you may want to rearrange and resize the widgets, again.

While you're playing with the dashboard, notice there's a button at the top that reads, 1 day. This means that the data for all of the widgets is for entries in the repository for the past twenty-four hours. The Live box checked means that the results in the widgets will change as events happen. Test that by either attempting again to open a web page that doesn't exist on your server, or logging in with another invalid user name. You should see the results change in at least one of the widgets.

Try also changing the time frame from twenty-four hours to the past thirty-days, live. This will give you more interesting results in your widgets.

For the detailed documentation on how to use and manage dashboards, see Dashboards & Widgets.