truenas audit: add runbook panel and switch to parsed svc labels

2026-02-15 12:12:33 +08:00
parent b46d5d5233
commit e808ea9623
1 changed files with 15 additions and 8 deletions
--- a/HomeLab/truenas-audit-overview.json
+++ b/HomeLab/truenas-audit-overview.json
@@ -36,7 +36,7 @@
        },
        "id": 1,
        "options": {
-          "content": "# TrueNAS Audit Overview\\n\\nNative TrueNAS audit events forwarded via remote syslog and ingested to Loki as `job=truenas_syslog`.\\n\\nUse filters above to focus by host and service.",
+          "content": "# TrueNAS Audit Overview\n\nNative TrueNAS audit events from remote syslog, parsed in Alloy, and stored in Loki as `job=\"truenas_syslog\"`.\n\n[Open Audit Logs Panel](#/viewPanel=4)\n\n## Quick Checks\n```bash\n# dns host (receiver)\nsudo systemctl status alloy --no-pager\nsudo tail -n 50 /var/log/truenas/truenas-syslog.log\n\n# truenas host (sender)\nmidclt call system.advanced.config | jq '{syslogserver,syslog_transport,syslog_audit,syslog_tls_certificate,sed_user}'\n```\n",
          "mode": "markdown"
        },
        "pluginVersion": "12.2.1",
@@ -104,7 +104,7 @@
              "type": "loki",
              "uid": "ef1qnibjxb5z4a"
            },
-            "expr": "sum(count_over_time({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\"} |= \\\"TNAUDIT\\\" |~ \\\"\\\\\\\"svc\\\\\\\": \\\\\\\"($svc)\\\\\\\"\\\" [5m]))",
+            "expr": "sum(count_over_time({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\",svc=~\\\"$svc\\\"}[5m]))",
            "refId": "A"
          }
        ],
@@ -195,7 +195,7 @@
              "type": "loki",
              "uid": "ef1qnibjxb5z4a"
            },
-            "expr": "sum(count_over_time({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\"} |= \\\"TNAUDIT\\\" |~ \\\"\\\\\\\"svc\\\\\\\": \\\\\\\"($svc)\\\\\\\"\\\" |~ \\\"(?i)(\\\\\\\"success\\\\\\\": false|FAILED|denied|invalid)\\\" [5m]))",
+            "expr": "sum(count_over_time({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\",svc=~\\\"$svc\\\",success=\\\"false\\\"}[5m]))",
            "legendFormat": "Failures",
            "refId": "A"
          },
@@ -204,7 +204,7 @@
              "type": "loki",
              "uid": "ef1qnibjxb5z4a"
            },
-            "expr": "sum(count_over_time({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\"} |= \\\"TNAUDIT\\\" |~ \\\"\\\\\\\"svc\\\\\\\": \\\\\\\"($svc)\\\\\\\"\\\" |~ \\\"\\\\\\\"svc\\\\\\\": \\\\\\\"(SUDO|SYSTEM)\\\\\\\"\\\" [5m]))",
+            "expr": "sum(count_over_time({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\",svc=~\\\"SUDO|SYSTEM\\\"}[5m]))",
            "legendFormat": "Privileged Actions",
            "refId": "B"
          }
@@ -236,7 +236,7 @@
              "type": "loki",
              "uid": "ef1qnibjxb5z4a"
            },
-            "expr": "{job=\\\"truenas_syslog\\\",host=~\\\"$host\\\"} |= \\\"TNAUDIT\\\" |~ \\\"\\\\\\\"svc\\\\\\\": \\\\\\\"($svc)\\\\\\\"\\\"",
+            "expr": "{job=\\\"truenas_syslog\\\",host=~\\\"$host\\\",svc=~\\\"$svc\\\"}",
            "refId": "A"
          }
        ],
@@ -277,8 +277,8 @@
        },
        {
          "name": "svc",
-          "type": "custom",
-          "query": "SMB,SYSTEM,SUDO,MIDDLEWARE",
+          "type": "query",
+          "query": "label_values({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\"}, svc)",
          "includeAll": true,
          "allValue": ".*",
          "multi": false,
@@ -286,7 +286,14 @@
            "text": "All",
            "value": "$__all",
            "selected": true
-          }
+          },
+          "datasource": {
+            "type": "loki",
+            "uid": "ef1qnibjxb5z4a"
+          },
+          "definition": "label_values({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\"}, svc)",
+          "refresh": 1,
+          "sort": 1
        }
      ]
    },