diff --git a/HomeLab/truenas-audit-overview.json b/HomeLab/truenas-audit-overview.json index 5dfb1f4..41cf5eb 100644 --- a/HomeLab/truenas-audit-overview.json +++ b/HomeLab/truenas-audit-overview.json @@ -36,7 +36,7 @@ }, "id": 1, "options": { - "content": "# TrueNAS Audit Overview\\n\\nThis dashboard is for audit/event visibility (not metrics).\\n\\nCurrent status: Loki is reachable but no dedicated TrueNAS audit log stream is labeled yet.\\n\\nNext step: ship TrueNAS audit/syslog events into Loki, then use these panels for detection and triage.", + "content": "# TrueNAS Audit Overview\\n\\nNative TrueNAS audit events forwarded via remote syslog and ingested to Loki as `job=truenas_syslog`.\\n\\nUse filters above to focus by host and service.", "mode": "markdown" }, "pluginVersion": "12.2.1", @@ -104,7 +104,7 @@ "type": "loki", "uid": "ef1qnibjxb5z4a" }, - "expr": "sum(count_over_time({job=\"truenas_syslog\"} |= \"TNAUDIT\" [5m]))", + "expr": "sum(count_over_time({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\"} |= \\\"TNAUDIT\\\" |~ \\\"\\\\\\\"svc\\\\\\\": \\\\\\\"($svc)\\\\\\\"\\\" [5m]))", "refId": "A" } ], @@ -195,7 +195,7 @@ "type": "loki", "uid": "ef1qnibjxb5z4a" }, - "expr": "sum(count_over_time({job=\"truenas_syslog\"} |= \"TNAUDIT\" |~ \"(?i)(\\\"success\\\": false|FAILED|denied|invalid)\" [5m]))", + "expr": "sum(count_over_time({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\"} |= \\\"TNAUDIT\\\" |~ \\\"\\\\\\\"svc\\\\\\\": \\\\\\\"($svc)\\\\\\\"\\\" |~ \\\"(?i)(\\\\\\\"success\\\\\\\": false|FAILED|denied|invalid)\\\" [5m]))", "legendFormat": "Failures", "refId": "A" }, @@ -204,7 +204,7 @@ "type": "loki", "uid": "ef1qnibjxb5z4a" }, - "expr": "sum(count_over_time({job=\"truenas_syslog\"} |= \"TNAUDIT\" |~ \"\\\"svc\\\": \\\"(SUDO|SYSTEM)\\\"\" [5m]))", + "expr": "sum(count_over_time({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\"} |= \\\"TNAUDIT\\\" |~ \\\"\\\\\\\"svc\\\\\\\": \\\\\\\"($svc)\\\\\\\"\\\" |~ \\\"\\\\\\\"svc\\\\\\\": \\\\\\\"(SUDO|SYSTEM)\\\\\\\"\\\" [5m]))", "legendFormat": "Privileged Actions", "refId": "B" } @@ -236,7 +236,7 @@ "type": "loki", "uid": "ef1qnibjxb5z4a" }, - "expr": "{job=\"truenas_syslog\"} |= \"TNAUDIT\"", + "expr": "{job=\\\"truenas_syslog\\\",host=~\\\"$host\\\"} |= \\\"TNAUDIT\\\" |~ \\\"\\\\\\\"svc\\\\\\\": \\\\\\\"($svc)\\\\\\\"\\\"", "refId": "A" } ], @@ -254,7 +254,41 @@ "loki" ], "templating": { - "list": [] + "list": [ + { + "name": "host", + "type": "query", + "datasource": { + "type": "loki", + "uid": "ef1qnibjxb5z4a" + }, + "definition": "label_values({job=\"truenas_syslog\"}, host)", + "query": "label_values({job=\"truenas_syslog\"}, host)", + "refresh": 1, + "sort": 1, + "includeAll": true, + "allValue": ".*", + "multi": false, + "current": { + "text": "All", + "value": "$__all", + "selected": true + } + }, + { + "name": "svc", + "type": "custom", + "query": "SMB,SYSTEM,SUDO,MIDDLEWARE", + "includeAll": true, + "allValue": ".*", + "multi": false, + "current": { + "text": "All", + "value": "$__all", + "selected": true + } + } + ] }, "time": { "from": "now-6h", diff --git a/HomeLab/truenas-scale-overview.json b/HomeLab/truenas-scale-overview.json index 9524f98..8fc16a6 100644 --- a/HomeLab/truenas-scale-overview.json +++ b/HomeLab/truenas-scale-overview.json @@ -24,7 +24,13 @@ "editable": true, "fiscalYearStartMonth": 0, "graphTooltip": 1, - "links": [], + "links": [ + { + "title": "Open Audit Dashboard", + "url": "/d/truenas-audit-overview/truenas-audit-overview", + "targetBlank": false + } + ], "panels": [ { "datasource": {