From e808ea9623c2d036108c11d0fdfb93ee346783d8 Mon Sep 17 00:00:00 2001 From: gbanyan Date: Sun, 15 Feb 2026 12:12:33 +0800 Subject: [PATCH] truenas audit: add runbook panel and switch to parsed svc labels --- HomeLab/truenas-audit-overview.json | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/HomeLab/truenas-audit-overview.json b/HomeLab/truenas-audit-overview.json index 41cf5eb..1f8b8f2 100644 --- a/HomeLab/truenas-audit-overview.json +++ b/HomeLab/truenas-audit-overview.json @@ -36,7 +36,7 @@ }, "id": 1, "options": { - "content": "# TrueNAS Audit Overview\\n\\nNative TrueNAS audit events forwarded via remote syslog and ingested to Loki as `job=truenas_syslog`.\\n\\nUse filters above to focus by host and service.", + "content": "# TrueNAS Audit Overview\n\nNative TrueNAS audit events from remote syslog, parsed in Alloy, and stored in Loki as `job=\"truenas_syslog\"`.\n\n[Open Audit Logs Panel](#/viewPanel=4)\n\n## Quick Checks\n```bash\n# dns host (receiver)\nsudo systemctl status alloy --no-pager\nsudo tail -n 50 /var/log/truenas/truenas-syslog.log\n\n# truenas host (sender)\nmidclt call system.advanced.config | jq '{syslogserver,syslog_transport,syslog_audit,syslog_tls_certificate,sed_user}'\n```\n", "mode": "markdown" }, "pluginVersion": "12.2.1", @@ -104,7 +104,7 @@ "type": "loki", "uid": "ef1qnibjxb5z4a" }, - "expr": "sum(count_over_time({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\"} |= \\\"TNAUDIT\\\" |~ \\\"\\\\\\\"svc\\\\\\\": \\\\\\\"($svc)\\\\\\\"\\\" [5m]))", + "expr": "sum(count_over_time({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\",svc=~\\\"$svc\\\"}[5m]))", "refId": "A" } ], @@ -195,7 +195,7 @@ "type": "loki", "uid": "ef1qnibjxb5z4a" }, - "expr": "sum(count_over_time({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\"} |= \\\"TNAUDIT\\\" |~ \\\"\\\\\\\"svc\\\\\\\": \\\\\\\"($svc)\\\\\\\"\\\" |~ \\\"(?i)(\\\\\\\"success\\\\\\\": false|FAILED|denied|invalid)\\\" [5m]))", + "expr": "sum(count_over_time({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\",svc=~\\\"$svc\\\",success=\\\"false\\\"}[5m]))", "legendFormat": "Failures", "refId": "A" }, @@ -204,7 +204,7 @@ "type": "loki", "uid": "ef1qnibjxb5z4a" }, - "expr": "sum(count_over_time({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\"} |= \\\"TNAUDIT\\\" |~ \\\"\\\\\\\"svc\\\\\\\": \\\\\\\"($svc)\\\\\\\"\\\" |~ \\\"\\\\\\\"svc\\\\\\\": \\\\\\\"(SUDO|SYSTEM)\\\\\\\"\\\" [5m]))", + "expr": "sum(count_over_time({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\",svc=~\\\"SUDO|SYSTEM\\\"}[5m]))", "legendFormat": "Privileged Actions", "refId": "B" } @@ -236,7 +236,7 @@ "type": "loki", "uid": "ef1qnibjxb5z4a" }, - "expr": "{job=\\\"truenas_syslog\\\",host=~\\\"$host\\\"} |= \\\"TNAUDIT\\\" |~ \\\"\\\\\\\"svc\\\\\\\": \\\\\\\"($svc)\\\\\\\"\\\"", + "expr": "{job=\\\"truenas_syslog\\\",host=~\\\"$host\\\",svc=~\\\"$svc\\\"}", "refId": "A" } ], @@ -277,8 +277,8 @@ }, { "name": "svc", - "type": "custom", - "query": "SMB,SYSTEM,SUDO,MIDDLEWARE", + "type": "query", + "query": "label_values({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\"}, svc)", "includeAll": true, "allValue": ".*", "multi": false, @@ -286,7 +286,14 @@ "text": "All", "value": "$__all", "selected": true - } + }, + "datasource": { + "type": "loki", + "uid": "ef1qnibjxb5z4a" + }, + "definition": "label_values({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\"}, svc)", + "refresh": 1, + "sort": 1 } ] },