Auditd hosts in all environments

Shows the login activity to our linux environments, sudo commands per host and users.


Admin Notes: index=main was changed to index=* due to not everyone using the same index. This dashboard has been tested for code errors, but not for search errors. 
Please comment if you have any issues!

 

<form>
  <label>Audit All Hosts</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="field2" searchWhenChanged="true">
      <label>Environment</label>
      <choice value="*">All</choice>
      <choice value="*dev*">DEV</choice>
      <choice value="*prd*">PROD</choice>
      <choice value="*int*">INTG</choice>
      <choice value="*tst*">TEST</choice>
      <choice value="*inf*">INF</choice>
      <choice value="*qa*">QA</choice>
      <fieldForLabel>env</fieldForLabel>
      <fieldForValue>env</fieldForValue>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Audit Auth Logs By GeoIp</title>
      <map>
        <title>(ssh originating locations, not updated with Environment dropdown)</title>
        <search>
          <query>index=* "ssh" "audit.res"=success type=USER_LOGIN hostname=*| iplocation addr | geostats latfield=lat longfield=lon count</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="mapping.choroplethLayer.colorBins">5</option>
        <option name="mapping.choroplethLayer.colorMode">auto</option>
        <option name="mapping.choroplethLayer.maximumColor">0xaf575a</option>
        <option name="mapping.choroplethLayer.minimumColor">0x62b3b2</option>
        <option name="mapping.choroplethLayer.neutralPoint">0</option>
        <option name="mapping.choroplethLayer.shapeOpacity">0.75</option>
        <option name="mapping.choroplethLayer.showBorder">1</option>
        <option name="mapping.data.maxClusters">100</option>
        <option name="mapping.legend.placement">bottomright</option>
        <option name="mapping.map.center">(38.41,-108.41)</option>
        <option name="mapping.map.panning">1</option>
        <option name="mapping.map.scrollZoom">0</option>
        <option name="mapping.map.zoom">4</option>
        <option name="mapping.markerLayer.markerMaxSize">50</option>
        <option name="mapping.markerLayer.markerMinSize">10</option>
        <option name="mapping.markerLayer.markerOpacity">0.8</option>
        <option name="mapping.showTiles">1</option>
        <option name="mapping.tileLayer.maxZoom">7</option>
        <option name="mapping.tileLayer.minZoom">0</option>
        <option name="mapping.tileLayer.tileOpacity">1</option>
        <option name="mapping.type">marker</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </map>
    </panel>
    <panel>
      <title>Failed Auth by Host</title>
      <chart>
        <search>
          <query>index=* "failed" extracted_source="/var/log/audit/audit.log" "audit.type"=USER_LOGIN hostname=$field2$ | bin size bins=30 |timechart count by hostname</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">bottom</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Top Sudoers</title>
      <table>
        <search>
          <query>index=* extracted_source="/var/log/secure" sudoer!=nrpe hostname=$field2$| stats count by sudoer command | sort - count</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <title>Sudoers</title>
      <viz type="simple_xml_examples.tagcloud">
        <search>
          <query>index=* "su" extracted_source="/var/log/secure" hostname=$field2$ | stats count by sudoer</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="simple_xml_examples.tagcloud.labelField">sudoer</option>
        <option name="simple_xml_examples.tagcloud.maxFontSize">36</option>
        <option name="simple_xml_examples.tagcloud.minFontSize">8</option>
        <option name="simple_xml_examples.tagcloud.valueField">count</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
    <panel>
      <title>Auditd Top Accounts</title>
      <viz type="simple_xml_examples.tagcloud">
        <search>
          <query>index=* "su" audit.log.acct=* extracted_source="/var/log/audit/audit.log" hostname=$field2$ | top audit.log.acct</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="simple_xml_examples.tagcloud.labelField">audit.log.acct</option>
        <option name="simple_xml_examples.tagcloud.maxFontSize">48</option>
        <option name="simple_xml_examples.tagcloud.minFontSize">12</option>
        <option name="simple_xml_examples.tagcloud.valueField">count</option>
      </viz>
    </panel>
  </row>
  <row>
    <panel>
      <title>Sudo count by User By Command By Host</title>
      <table>
        <search>
          <query>index=* "su" extracted_source="/var/log/secure" hostname=$field2$| stats count by sudoer command hostname</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

 

Share This:
Tagged:

Comments

  1. Al

    Hi SplunkNinja:

    I attempted this in Splunk as well but nothing loaded in the dashboard. I tinkered with the XML, and still nothing. What version of Linux was this written for?

  2. Al

    I realized I had to change a lot of the queries for the results to show. I had to remove Trellis. I got it to work the GEOIP map was useful to detect remote SSH.

  3. Robet Doe

    How can I achieve this with no XML file? I have sourcetype and index but no XML file. I can’t us any Add on or ingest files. I have to use the sourctype and the index they provided to me that live in Splunk already. I am able to get visual, but no data is populating. Any help would be greatly appreciated

Leave A Comment?