{ "apiVersion": "dashboard.grafana.app/v1beta1", "kind": "Dashboard", "metadata": { "name": "truenas-audit-overview" }, "spec": { "annotations": { "list": [ { "builtIn": 1, "datasource": { "type": "grafana", "uid": "-- Grafana --" }, "enable": true, "hide": true, "iconColor": "rgba(0, 211, 255, 1)", "name": "Annotations & Alerts", "type": "dashboard" } ] }, "editable": true, "fiscalYearStartMonth": 0, "graphTooltip": 0, "links": [], "panels": [ { "datasource": null, "gridPos": { "h": 5, "w": 24, "x": 0, "y": 0 }, "id": 1, "options": { "content": "# TrueNAS Audit Overview\n\nNative TrueNAS audit events from remote syslog, parsed in Alloy, and stored in Loki as `job=\"truenas_syslog\"`.\n\n[Open Audit Logs Panel](#/viewPanel=4)\n\n## Quick Checks\n```bash\n# dns host (receiver)\nsudo systemctl status alloy --no-pager\nsudo tail -n 50 /var/log/truenas/truenas-syslog.log\n\n# truenas host (sender)\nmidclt call system.advanced.config | jq '{syslogserver,syslog_transport,syslog_audit,syslog_tls_certificate,sed_user}'\n```\n", "mode": "markdown" }, "pluginVersion": "12.2.1", "targets": [], "title": "Status", "type": "text" }, { "fieldConfig": { "defaults": { "color": { "mode": "thresholds" }, "decimals": 0, "mappings": [], "thresholds": { "mode": "absolute", "steps": [ { "color": "green", "value": 0 }, { "color": "orange", "value": 1 }, { "color": "red", "value": 10 } ] }, "unit": "short" }, "overrides": [] }, "gridPos": { "h": 5, "w": 8, "x": 0, "y": 5 }, "id": 2, "options": { "colorMode": "background", "graphMode": "none", "justifyMode": "auto", "orientation": "auto", "percentChangeColorMode": "standard", "reduceOptions": { "calcs": [ "lastNotNull" ], "fields": "", "values": false }, "showPercentChange": false, "textMode": "auto", "wideLayout": true }, "pluginVersion": "12.2.1", "targets": [ { "datasource": { "type": "loki", "uid": "ef1qnibjxb5z4a" }, "expr": "sum(count_over_time({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\",svc=~\\\"$svc\\\"}[5m]))", "refId": "A" } ], "title": "Audit Related Events (5m)", "type": "stat" }, { "fieldConfig": { "defaults": { "color": { "mode": "palette-classic" }, "custom": { "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", "axisPlacement": "auto", "barAlignment": 0, "barWidthFactor": 0.6, "drawStyle": "line", "fillOpacity": 20, "gradientMode": "none", "hideFrom": { "legend": false, "tooltip": false, "viz": false }, "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 1, "pointSize": 5, "scaleDistribution": { "type": "linear" }, "showPoints": "never", "spanNulls": false, "stacking": { "group": "A", "mode": "none" }, "thresholdsStyle": { "mode": "off" } }, "mappings": [], "thresholds": { "mode": "absolute", "steps": [ { "color": "green", "value": 0 }, { "color": "red", "value": 1 } ] }, "unit": "short" }, "overrides": [] }, "gridPos": { "h": 8, "w": 16, "x": 8, "y": 5 }, "id": 3, "options": { "legend": { "calcs": [], "displayMode": "list", "placement": "bottom", "showLegend": true }, "tooltip": { "hideZeros": false, "mode": "single", "sort": "none" } }, "pluginVersion": "12.2.1", "targets": [ { "datasource": { "type": "loki", "uid": "ef1qnibjxb5z4a" }, "expr": "sum(count_over_time({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\",svc=~\\\"$svc\\\",success=\\\"false\\\"}[5m]))", "legendFormat": "Failures", "refId": "A" }, { "datasource": { "type": "loki", "uid": "ef1qnibjxb5z4a" }, "expr": "sum(count_over_time({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\",svc=~\\\"SUDO|SYSTEM\\\"}[5m]))", "legendFormat": "Privileged Actions", "refId": "B" } ], "title": "Security Event Rates", "type": "timeseries" }, { "fieldConfig": { "defaults": {}, "overrides": [] }, "gridPos": { "h": 11, "w": 24, "x": 0, "y": 13 }, "id": 4, "options": { "showCommonLabels": false, "showLabels": true, "showTime": true, "wrapLogMessage": true }, "targets": [ { "datasource": { "type": "loki", "uid": "ef1qnibjxb5z4a" }, "expr": "{job=\\\"truenas_syslog\\\",host=~\\\"$host\\\",svc=~\\\"$svc\\\"}", "refId": "A" } ], "title": "Audit / Security Logs", "type": "logs" } ], "preload": false, "refresh": "30s", "schemaVersion": 42, "tags": [ "truenas", "audit", "security", "loki" ], "templating": { "list": [ { "name": "host", "type": "query", "datasource": { "type": "loki", "uid": "ef1qnibjxb5z4a" }, "definition": "label_values({job=\"truenas_syslog\"}, host)", "query": "label_values({job=\"truenas_syslog\"}, host)", "refresh": 1, "sort": 1, "includeAll": true, "allValue": ".*", "multi": false, "current": { "text": "All", "value": "$__all", "selected": true } }, { "name": "svc", "type": "query", "query": "label_values({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\"}, svc)", "includeAll": true, "allValue": ".*", "multi": false, "current": { "text": "All", "value": "$__all", "selected": true }, "datasource": { "type": "loki", "uid": "ef1qnibjxb5z4a" }, "definition": "label_values({job=\\\"truenas_syslog\\\",host=~\\\"$host\\\"}, svc)", "refresh": 1, "sort": 1 } ] }, "time": { "from": "now-6h", "to": "now" }, "timepicker": {}, "timezone": "browser", "title": "TrueNAS Audit Overview" } }