Shows the login activity to our linux environments, sudo commands per host and users.
Admin Notes: index=main was changed to index=* due to not everyone using the same index. This dashboard has been tested for code errors, but not for search errors.
Please comment if you have any issues!
<form> <label>Audit All Hosts</label> <fieldset submitButton="false"> <input type="time" token="field1"> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="field2" searchWhenChanged="true"> <label>Environment</label> <choice value="*">All</choice> <choice value="*dev*">DEV</choice> <choice value="*prd*">PROD</choice> <choice value="*int*">INTG</choice> <choice value="*tst*">TEST</choice> <choice value="*inf*">INF</choice> <choice value="*qa*">QA</choice> <fieldForLabel>env</fieldForLabel> <fieldForValue>env</fieldForValue> <default>*</default> <initialValue>*</initialValue> </input> </fieldset> <row> <panel> <title>Audit Auth Logs By GeoIp</title> <map> <title>(ssh originating locations, not updated with Environment dropdown)</title> <search> <query>index=* "ssh" "audit.res"=success type=USER_LOGIN hostname=*| iplocation addr | geostats latfield=lat longfield=lon count</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">none</option> <option name="mapping.choroplethLayer.colorBins">5</option> <option name="mapping.choroplethLayer.colorMode">auto</option> <option name="mapping.choroplethLayer.maximumColor">0xaf575a</option> <option name="mapping.choroplethLayer.minimumColor">0x62b3b2</option> <option name="mapping.choroplethLayer.neutralPoint">0</option> <option name="mapping.choroplethLayer.shapeOpacity">0.75</option> <option name="mapping.choroplethLayer.showBorder">1</option> <option name="mapping.data.maxClusters">100</option> <option name="mapping.legend.placement">bottomright</option> <option name="mapping.map.center">(38.41,-108.41)</option> <option name="mapping.map.panning">1</option> <option name="mapping.map.scrollZoom">0</option> <option name="mapping.map.zoom">4</option> <option name="mapping.markerLayer.markerMaxSize">50</option> <option name="mapping.markerLayer.markerMinSize">10</option> <option name="mapping.markerLayer.markerOpacity">0.8</option> <option name="mapping.showTiles">1</option> <option name="mapping.tileLayer.maxZoom">7</option> <option name="mapping.tileLayer.minZoom">0</option> <option name="mapping.tileLayer.tileOpacity">1</option> <option name="mapping.type">marker</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </map> </panel> <panel> <title>Failed Auth by Host</title> <chart> <search> <query>index=* "failed" extracted_source="/var/log/audit/audit.log" "audit.type"=USER_LOGIN hostname=$field2$ | bin size bins=30 |timechart count by hostname</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">line</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">minmax</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">bottom</option> <option name="charting.lineWidth">2</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> </row> <row> <panel> <title>Top Sudoers</title> <table> <search> <query>index=* extracted_source="/var/log/secure" sudoer!=nrpe hostname=$field2$| stats count by sudoer command | sort - count</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> <panel> <title>Sudoers</title> <viz type="simple_xml_examples.tagcloud"> <search> <query>index=* "su" extracted_source="/var/log/secure" hostname=$field2$ | stats count by sudoer</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> <option name="simple_xml_examples.tagcloud.labelField">sudoer</option> <option name="simple_xml_examples.tagcloud.maxFontSize">36</option> <option name="simple_xml_examples.tagcloud.minFontSize">8</option> <option name="simple_xml_examples.tagcloud.valueField">count</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </viz> </panel> <panel> <title>Auditd Top Accounts</title> <viz type="simple_xml_examples.tagcloud"> <search> <query>index=* "su" audit.log.acct=* extracted_source="/var/log/audit/audit.log" hostname=$field2$ | top audit.log.acct</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> <option name="simple_xml_examples.tagcloud.labelField">audit.log.acct</option> <option name="simple_xml_examples.tagcloud.maxFontSize">48</option> <option name="simple_xml_examples.tagcloud.minFontSize">12</option> <option name="simple_xml_examples.tagcloud.valueField">count</option> </viz> </panel> </row> <row> <panel> <title>Sudo count by User By Command By Host</title> <table> <search> <query>index=* "su" extracted_source="/var/log/secure" hostname=$field2$| stats count by sudoer command hostname</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>
hi , there is some issue with the xml
gbr,
I’m testing the xml and have no issues. Feel free to join our discord and let us know your issue! https://discord.gg/fFJhGPw
Hi SplunkNinja:
I attempted this in Splunk as well but nothing loaded in the dashboard. I tinkered with the XML, and still nothing. What version of Linux was this written for?
It’s written for 7.2.3. What do you see when you try and load one of the searches?
I realized I had to change a lot of the queries for the results to show. I had to remove Trellis. I got it to work the GEOIP map was useful to detect remote SSH.
How can I achieve this with no XML file? I have sourcetype and index but no XML file. I can’t us any Add on or ingest files. I have to use the sourctype and the index they provided to me that live in Splunk already. I am able to get visual, but no data is populating. Any help would be greatly appreciated