Add TrueNAS audit filters and overview drill-down link
This commit is contained in:
gbanyan
@@ -36,7 +36,7 @@
|
||||
},
|
||||
"id": 1,
|
||||
"options": {
|
||||
"content": "# TrueNAS Audit Overview\\n\\nThis dashboard is for audit/event visibility (not metrics).\\n\\nCurrent status: Loki is reachable but no dedicated TrueNAS audit log stream is labeled yet.\\n\\nNext step: ship TrueNAS audit/syslog events into Loki, then use these panels for detection and triage.",
|
||||
"content": "# TrueNAS Audit Overview\\n\\nNative TrueNAS audit events forwarded via remote syslog and ingested to Loki as `job=truenas_syslog`.\\n\\nUse filters above to focus by host and service.",
|
||||
"mode": "markdown"
|
||||
},
|
||||
"pluginVersion": "12.2.1",
|
||||
@@ -104,7 +104,7 @@
|
||||
"type": "loki",
|
||||
"uid": "ef1qnibjxb5z4a"
|
||||
},
|
||||
"expr": "sum(count_over_time({job=\"truenas_syslog\"} |= \"TNAUDIT\" [5m]))",
|
||||
"expr": "sum(count_over_time({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\"} |= \\\"TNAUDIT\\\" |~ \\\"\\\\\\\"svc\\\\\\\": \\\\\\\"($svc)\\\\\\\"\\\" [5m]))",
|
||||
"refId": "A"
|
||||
}
|
||||
],
|
||||
@@ -195,7 +195,7 @@
|
||||
"type": "loki",
|
||||
"uid": "ef1qnibjxb5z4a"
|
||||
},
|
||||
"expr": "sum(count_over_time({job=\"truenas_syslog\"} |= \"TNAUDIT\" |~ \"(?i)(\\\"success\\\": false|FAILED|denied|invalid)\" [5m]))",
|
||||
"expr": "sum(count_over_time({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\"} |= \\\"TNAUDIT\\\" |~ \\\"\\\\\\\"svc\\\\\\\": \\\\\\\"($svc)\\\\\\\"\\\" |~ \\\"(?i)(\\\\\\\"success\\\\\\\": false|FAILED|denied|invalid)\\\" [5m]))",
|
||||
"legendFormat": "Failures",
|
||||
"refId": "A"
|
||||
},
|
||||
@@ -204,7 +204,7 @@
|
||||
"type": "loki",
|
||||
"uid": "ef1qnibjxb5z4a"
|
||||
},
|
||||
"expr": "sum(count_over_time({job=\"truenas_syslog\"} |= \"TNAUDIT\" |~ \"\\\"svc\\\": \\\"(SUDO|SYSTEM)\\\"\" [5m]))",
|
||||
"expr": "sum(count_over_time({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\"} |= \\\"TNAUDIT\\\" |~ \\\"\\\\\\\"svc\\\\\\\": \\\\\\\"($svc)\\\\\\\"\\\" |~ \\\"\\\\\\\"svc\\\\\\\": \\\\\\\"(SUDO|SYSTEM)\\\\\\\"\\\" [5m]))",
|
||||
"legendFormat": "Privileged Actions",
|
||||
"refId": "B"
|
||||
}
|
||||
@@ -236,7 +236,7 @@
|
||||
"type": "loki",
|
||||
"uid": "ef1qnibjxb5z4a"
|
||||
},
|
||||
"expr": "{job=\"truenas_syslog\"} |= \"TNAUDIT\"",
|
||||
"expr": "{job=\\\"truenas_syslog\\\",host=~\\\"$host\\\"} |= \\\"TNAUDIT\\\" |~ \\\"\\\\\\\"svc\\\\\\\": \\\\\\\"($svc)\\\\\\\"\\\"",
|
||||
"refId": "A"
|
||||
}
|
||||
],
|
||||
@@ -254,7 +254,41 @@
|
||||
"loki"
|
||||
],
|
||||
"templating": {
|
||||
"list": []
|
||||
"list": [
|
||||
{
|
||||
"name": "host",
|
||||
"type": "query",
|
||||
"datasource": {
|
||||
"type": "loki",
|
||||
"uid": "ef1qnibjxb5z4a"
|
||||
},
|
||||
"definition": "label_values({job=\"truenas_syslog\"}, host)",
|
||||
"query": "label_values({job=\"truenas_syslog\"}, host)",
|
||||
"refresh": 1,
|
||||
"sort": 1,
|
||||
"includeAll": true,
|
||||
"allValue": ".*",
|
||||
"multi": false,
|
||||
"current": {
|
||||
"text": "All",
|
||||
"value": "$__all",
|
||||
"selected": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "svc",
|
||||
"type": "custom",
|
||||
"query": "SMB,SYSTEM,SUDO,MIDDLEWARE",
|
||||
"includeAll": true,
|
||||
"allValue": ".*",
|
||||
"multi": false,
|
||||
"current": {
|
||||
"text": "All",
|
||||
"value": "$__all",
|
||||
"selected": true
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"time": {
|
||||
"from": "now-6h",
|
||||
|
||||
@@ -24,7 +24,13 @@
|
||||
"editable": true,
|
||||
"fiscalYearStartMonth": 0,
|
||||
"graphTooltip": 1,
|
||||
"links": [],
|
||||
"links": [
|
||||
{
|
||||
"title": "Open Audit Dashboard",
|
||||
"url": "/d/truenas-audit-overview/truenas-audit-overview",
|
||||
"targetBlank": false
|
||||
}
|
||||
],
|
||||
"panels": [
|
||||
{
|
||||
"datasource": {
|
||||
|
||||
Reference in New Issue
Block a user