diff --git a/HomeLab/truenas-audit-overview.json b/HomeLab/truenas-audit-overview.json
index e68800d..5dfb1f4 100644
--- a/HomeLab/truenas-audit-overview.json
+++ b/HomeLab/truenas-audit-overview.json
@@ -104,7 +104,7 @@
               "type": "loki",
               "uid": "ef1qnibjxb5z4a"
             },
-            "expr": "sum(count_over_time({job=~\".+\"} |~ \"(?i)(audit|sudo|authentication|middleware|truenas)\" [5m]))",
+            "expr": "sum(count_over_time({job=\"truenas_syslog\"} |= \"TNAUDIT\" [5m]))",
             "refId": "A"
           }
         ],
@@ -195,7 +195,7 @@
               "type": "loki",
               "uid": "ef1qnibjxb5z4a"
             },
-            "expr": "sum(count_over_time({job=~\".+\"} |~ \"(?i)(failed|failure|denied|unauthorized|invalid user)\" [5m]))",
+            "expr": "sum(count_over_time({job=\"truenas_syslog\"} |= \"TNAUDIT\" |~ \"(?i)(\\\"success\\\": false|FAILED|denied|invalid)\" [5m]))",
             "legendFormat": "Failures",
             "refId": "A"
           },
@@ -204,7 +204,7 @@
               "type": "loki",
               "uid": "ef1qnibjxb5z4a"
             },
-            "expr": "sum(count_over_time({job=~\".+\"} |~ \"(?i)(sudo|privilege|root)\" [5m]))",
+            "expr": "sum(count_over_time({job=\"truenas_syslog\"} |= \"TNAUDIT\" |~ \"\\\"svc\\\": \\\"(SUDO|SYSTEM)\\\"\" [5m]))",
             "legendFormat": "Privileged Actions",
             "refId": "B"
           }
@@ -236,7 +236,7 @@
               "type": "loki",
               "uid": "ef1qnibjxb5z4a"
             },
-            "expr": "{job=~\".+\"} |~ \"(?i)(audit|sudo|authentication|middleware|truenas|smb)\"",
+            "expr": "{job=\"truenas_syslog\"} |= \"TNAUDIT\"",
             "refId": "A"
           }
         ],