{ "annotations": { "list": [ { "builtIn": 1, "datasource": { "type": "grafana", "uid": "-- Grafana --" }, "enable": true, "hide": true, "iconColor": "rgba(0, 211, 255, 1)", "name": "Annotations & Alerts", "target": { "limit": 100, "matchAny": false, "tags": [], "type": "dashboard" }, "type": "dashboard" } ] }, "description": "Loki v2 SSH Logs", "editable": true, "fiscalYearStartMonth": 0, "gnetId": 17514, "graphTooltip": 0, "id": 1, "links": [], "liveNow": false, "panels": [ { "collapsed": false, "gridPos": { "h": 1, "w": 24, "x": 0, "y": 0 }, "id": 5, "panels": [], "title": "SSH - Total Stats", "type": "row" }, { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "description": "", "fieldConfig": { "defaults": { "color": { "mode": "thresholds" }, "mappings": [ { "options": { "match": "null", "result": { "index": 0, "text": "0" } }, "type": "special" } ], "thresholds": { "mode": "absolute", "steps": [ { "color": "purple", "value": null } ] }, "unit": "short" }, "overrides": [] }, "gridPos": { "h": 4, "w": 6, "x": 0, "y": 1 }, "id": 2, "options": { "colorMode": "background", "graphMode": "none", "justifyMode": "center", "orientation": "auto", "reduceOptions": { "calcs": [ "sum" ], "fields": "", "values": false }, "textMode": "auto" }, "pluginVersion": "10.2.0", "targets": [ { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "editorMode": "code", "expr": "sum by(instance) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": session opened for\" | __error__=\"\" [$__interval]))", "queryType": "range", "refId": "A" } ], "title": "Total Opened Connection", "type": "stat" }, { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "description": "", "fieldConfig": { "defaults": { "color": { "mode": "thresholds" }, "mappings": [ { "options": { "match": "null", "result": { "index": 0, "text": "0" } }, "type": "special" } ], "thresholds": { "mode": "absolute", "steps": [ { "color": "purple", "value": null }, { "color": "red", "value": 1 } ] }, "unit": "short" }, "overrides": [] }, "gridPos": { "h": 4, "w": 3, "x": 6, "y": 1 }, "id": 3, "options": { "colorMode": "background", "graphMode": "none", "justifyMode": "center", "orientation": "auto", "reduceOptions": { "calcs": [ "sum" ], "fields": "", "values": false }, "textMode": "auto" }, "pluginVersion": "10.2.0", "targets": [ { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "editorMode": "code", "expr": "sum by(instance) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Failed|: Invalid|: Connection closed by authenticating user\" | __error__=\"\" [$__interval]))", "hide": false, "queryType": "range", "refId": "A" } ], "title": "Total Failed Connection", "transformations": [ { "id": "merge", "options": {} } ], "type": "stat" }, { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "fieldConfig": { "defaults": { "mappings": [ { "options": { "match": "null", "result": { "index": 0, "text": "0" } }, "type": "special" } ], "thresholds": { "mode": "absolute", "steps": [ { "color": "purple", "value": null }, { "color": "red", "value": 1 } ] }, "unit": "short" }, "overrides": [] }, "gridPos": { "h": 4, "w": 3, "x": 9, "y": 1 }, "id": 21, "options": { "colorMode": "background", "graphMode": "none", "justifyMode": "auto", "orientation": "auto", "reduceOptions": { "calcs": [ "count" ], "fields": "/^IP$/", "values": false }, "textMode": "auto" }, "pluginVersion": "10.2.0", "targets": [ { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "editorMode": "code", "expr": "count by (ip) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Invalid|: Connection closed by authenticating user|: Failed\" |~\".* from .*\" | pattern `<_> from port` | __error__=\"\" [$__interval]))", "hide": false, "legendFormat": "{{ ip }}", "queryType": "range", "refId": "A", "resolution": 1 }, { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "editorMode": "code", "expr": "count by (ip) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Invalid|: Connection closed by authenticating user|: Failed\" !~\".* from .*\" | pattern `<_> user <_> port` | __error__=\"\" [$__interval]))", "hide": false, "legendFormat": "{{ ip }}", "queryType": "range", "refId": "B" } ], "title": "Total Failed - Unique IP", "transformations": [ { "id": "labelsToFields", "options": { "mode": "rows", "valueLabel": "ip" } }, { "id": "merge", "options": {} }, { "id": "organize", "options": { "excludeByName": { "178.40.119.51": false, "194.154.240.221": false, "label": true }, "indexByName": {}, "renameByName": { "value": "IP" } } } ], "type": "stat" }, { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "description": "", "fieldConfig": { "defaults": { "color": { "mode": "thresholds" }, "mappings": [ { "options": { "match": "null", "result": { "index": 0, "text": "0" } }, "type": "special" } ], "thresholds": { "mode": "absolute", "steps": [ { "color": "orange", "value": null } ] }, "unit": "short" }, "overrides": [] }, "gridPos": { "h": 4, "w": 3, "x": 12, "y": 1 }, "id": 6, "options": { "colorMode": "background", "graphMode": "none", "justifyMode": "auto", "orientation": "auto", "reduceOptions": { "calcs": [ "sum" ], "fields": "", "values": false }, "textMode": "auto" }, "pluginVersion": "10.2.0", "targets": [ { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "editorMode": "code", "expr": "count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" | drop geoip_city_name, geoip_continent_code, geoip_continent_name, geoip_country_name, geoip_location_latitude, geoip_location_longitude, geoip_postal_code, geoip_subdivision_code, geoip_subdivision_name, geoip_timezone, ip | __error__=\"\" [$__interval])", "queryType": "range", "refId": "A" } ], "title": "SSH Log Lines", "transformations": [ { "id": "concatenate", "options": { "frameNameLabel": "frame", "frameNameMode": "field" } } ], "type": "stat" }, { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "description": "", "fieldConfig": { "defaults": { "color": { "mode": "thresholds" }, "mappings": [ { "options": { "match": "null", "result": { "index": 0, "text": "0" } }, "type": "special" } ], "thresholds": { "mode": "absolute", "steps": [ { "color": "orange", "value": null } ] }, "unit": "decbytes" }, "overrides": [] }, "gridPos": { "h": 4, "w": 3, "x": 15, "y": 1 }, "id": 7, "options": { "colorMode": "background", "graphMode": "none", "justifyMode": "auto", "orientation": "auto", "reduceOptions": { "calcs": [ "sum" ], "fields": "", "values": false }, "textMode": "auto" }, "pluginVersion": "10.2.0", "targets": [ { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "editorMode": "code", "expr": "bytes_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" | drop geoip_city_name, geoip_continent_code, geoip_continent_name, geoip_country_name, geoip_location_latitude, geoip_location_longitude, geoip_postal_code, geoip_subdivision_code, geoip_subdivision_name, geoip_timezone, ip | __error__=\"\" [$__interval])", "queryType": "range", "refId": "A" } ], "title": "SSH Log in bytes", "type": "stat" }, { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "fieldConfig": { "defaults": { "color": { "mode": "palette-classic" }, "custom": { "hideFrom": { "legend": false, "tooltip": false, "viz": false } }, "mappings": [] }, "overrides": [] }, "gridPos": { "h": 9, "w": 6, "x": 0, "y": 5 }, "id": 15, "options": { "displayLabels": [], "legend": { "displayMode": "table", "placement": "right", "showLegend": true, "values": [ "value", "percent" ] }, "pieType": "donut", "reduceOptions": { "calcs": [ "sum" ], "fields": "", "values": false }, "tooltip": { "mode": "multi", "sort": "none" } }, "pluginVersion": "9.2.5", "targets": [ { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "editorMode": "code", "expr": "sum by (username) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": session opened for\" | pattern `<_> session opened for user (` | username !~\".* by \" | __error__=\"\" [$__interval]))", "hide": false, "legendFormat": "{{ username }}", "queryType": "range", "refId": "A" }, { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "editorMode": "code", "expr": "sum by (username) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": session opened for\" | pattern `<_> session opened for user <_>` | username !~\".*(uid=.*)\" | __error__=\"\" [$__interval]))", "hide": false, "legendFormat": "{{ username }}", "queryType": "range", "refId": "B" } ], "title": "Session Opened by User", "transformations": [], "type": "piechart" }, { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "fieldConfig": { "defaults": { "color": { "mode": "palette-classic" }, "custom": { "hideFrom": { "legend": false, "tooltip": false, "viz": false } }, "mappings": [] }, "overrides": [] }, "gridPos": { "h": 9, "w": 6, "x": 6, "y": 5 }, "id": 16, "options": { "displayLabels": [], "legend": { "displayMode": "table", "placement": "bottom", "showLegend": true, "values": [ "value", "percent" ] }, "pieType": "donut", "reduceOptions": { "calcs": [ "sum" ], "fields": "", "values": false }, "tooltip": { "mode": "multi", "sort": "none" } }, "pluginVersion": "9.2.5", "targets": [ { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "editorMode": "code", "expr": "sum by (username) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Invalid|: Connection closed by authenticating user|: Failed .* user\" | pattern `<_> user <_> port` | __error__=\"\" [$__interval]))", "hide": false, "legendFormat": "{{ username }}", "queryType": "range", "refId": "A" }, { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "editorMode": "code", "expr": "sum by (username) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": Failed\" !~\"invalid user\" | pattern `<_> for from <_> port` | __error__=\"\" [$__interval]))", "hide": false, "legendFormat": "{{ username }}", "queryType": "range", "refId": "B" } ], "title": "Failed Attempt by User", "transformations": [ { "id": "joinByLabels", "options": { "value": "username" } } ], "type": "piechart" }, { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "gridPos": { "h": 16, "w": 12, "x": 12, "y": 5 }, "id": 9, "options": { "dedupStrategy": "signature", "enableLogDetails": true, "prettifyLogMessage": false, "showCommonLabels": false, "showLabels": false, "showTime": false, "sortOrder": "Descending", "wrapLogMessage": false }, "targets": [ { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "editorMode": "code", "expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |= `sshd[` != `pam` |= `from`", "queryType": "range", "refId": "A" } ], "title": "SSH Recent Log", "type": "logs" }, { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "fieldConfig": { "defaults": { "custom": { "align": "auto", "cellOptions": { "type": "auto" }, "filterable": true, "inspect": false }, "mappings": [], "thresholds": { "mode": "absolute", "steps": [ { "color": "green", "value": null } ] } }, "overrides": [] }, "gridPos": { "h": 7, "w": 6, "x": 0, "y": 14 }, "id": 22, "options": { "cellHeight": "sm", "footer": { "countRows": false, "fields": "", "reducer": [ "sum" ], "show": false }, "frameIndex": 0, "showHeader": true }, "pluginVersion": "10.2.0", "targets": [ { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "editorMode": "code", "expr": "count by (ip) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": Accepted\" | pattern `<_> Accepted <_> for <_> from port <_>` | __error__=\"\" [$__interval]))", "hide": false, "legendFormat": "{{ ip }}", "queryType": "range", "refId": "A", "resolution": 1 } ], "title": "Session Opened by Unique IP", "transformations": [ { "id": "labelsToFields", "options": { "mode": "rows" } }, { "id": "merge", "options": {} }, { "id": "organize", "options": { "excludeByName": { "label": true }, "indexByName": {}, "renameByName": { "value": "IP" } } } ], "type": "table" }, { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "fieldConfig": { "defaults": { "custom": { "align": "auto", "cellOptions": { "type": "auto" }, "filterable": true, "inspect": false }, "mappings": [], "thresholds": { "mode": "absolute", "steps": [ { "color": "green", "value": null } ] } }, "overrides": [] }, "gridPos": { "h": 7, "w": 6, "x": 6, "y": 14 }, "id": 19, "options": { "cellHeight": "sm", "footer": { "countRows": false, "fields": "", "reducer": [ "sum" ], "show": false }, "frameIndex": 0, "showHeader": true }, "pluginVersion": "10.2.0", "targets": [ { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "editorMode": "code", "expr": "count by (ip) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Invalid|: Connection closed by authenticating user|: Failed\" |~\".* from .*\" | pattern `<_> from port` | __error__=\"\" [$__interval]))", "hide": false, "legendFormat": "{{ ip }}", "queryType": "range", "refId": "A", "resolution": 1 }, { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "editorMode": "code", "expr": "count by (ip) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Invalid|: Connection closed by authenticating user|: Failed\" !~\".* from .*\" | pattern `<_> user <_> port` | __error__=\"\" [$__interval]))", "hide": false, "legendFormat": "{{ ip }}", "queryType": "range", "refId": "B" } ], "title": "Failed by Unique IP", "transformations": [ { "id": "labelsToFields", "options": { "mode": "rows" } }, { "id": "merge", "options": {} }, { "id": "organize", "options": { "excludeByName": { "label": true }, "indexByName": {}, "renameByName": { "value": "IP" } } } ], "type": "table" }, { "collapsed": false, "gridPos": { "h": 1, "w": 24, "x": 0, "y": 21 }, "id": 11, "panels": [], "title": "Detailed Stats", "type": "row" }, { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "fieldConfig": { "defaults": { "custom": { "align": "auto", "cellOptions": { "type": "auto" }, "filterable": true, "inspect": false }, "mappings": [], "thresholds": { "mode": "absolute", "steps": [ { "color": "green", "value": null } ] } }, "overrides": [] }, "gridPos": { "h": 10, "w": 12, "x": 0, "y": 22 }, "id": 20, "maxDataPoints": 1, "options": { "cellHeight": "sm", "footer": { "countRows": false, "fields": "", "reducer": [ "sum" ], "show": false }, "showHeader": true }, "pluginVersion": "10.2.0", "targets": [ { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "editorMode": "code", "expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": Accepted\" | pattern `<_> Accepted <_> for from port <_>` | __error__=\"\"", "hide": false, "legendFormat": "{{ ip }} {{ username }}", "queryType": "range", "refId": "A", "resolution": 1 } ], "title": "Session Opened by User and IP", "transformations": [ { "id": "merge", "options": {} }, { "id": "extractFields", "options": { "format": "auto", "replace": false, "source": "labels" } }, { "id": "organize", "options": { "excludeByName": { "Line": true, "Time": false, "env": true, "filename": true, "id": true, "job": true, "label": true, "labels": true, "tsNs": true }, "indexByName": {}, "renameByName": { "label": "", "value": "" } } }, { "id": "sortBy", "options": { "fields": {}, "sort": [ { "desc": true, "field": "Time" } ] } } ], "type": "table" }, { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "fieldConfig": { "defaults": { "color": { "mode": "thresholds" }, "custom": { "align": "auto", "cellOptions": { "type": "auto" }, "filterable": true, "inspect": false }, "mappings": [], "thresholds": { "mode": "absolute", "steps": [ { "color": "green", "value": null } ] } }, "overrides": [] }, "gridPos": { "h": 10, "w": 12, "x": 12, "y": 22 }, "id": 23, "options": { "cellHeight": "sm", "footer": { "countRows": false, "fields": "", "reducer": [ "sum" ], "show": false }, "showHeader": true }, "pluginVersion": "10.2.0", "targets": [ { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "editorMode": "code", "expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Invalid|: Failed .* user\" | pattern `<_> user from <_> port` | __error__=\"\"", "hide": false, "queryType": "range", "refId": "A" }, { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "editorMode": "code", "expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": Failed\" !~\"invalid user\" | pattern `<_> for from port` | __error__=\"\"", "hide": false, "queryType": "range", "refId": "B" }, { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "editorMode": "code", "expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": Connection closed by authenticating user\" | pattern `<_> user port` | __error__=\"\"", "hide": false, "queryType": "range", "refId": "C" } ], "title": "SSH Failure by User and IP", "transformations": [ { "id": "merge", "options": {} }, { "id": "extractFields", "options": { "format": "auto", "replace": false, "source": "labels" } }, { "id": "organize", "options": { "excludeByName": { "Line": true, "env": true, "filename": true, "id": true, "job": true, "labels": true, "tsNs": true }, "indexByName": {}, "renameByName": { "Time": "", "env": "", "instance": "", "job": "", "tsNs": "" } } }, { "id": "sortBy", "options": { "fields": {}, "sort": [ { "desc": true, "field": "Time" } ] } } ], "type": "table" }, { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "fieldConfig": { "defaults": { "color": { "mode": "thresholds" }, "custom": { "align": "auto", "cellOptions": { "type": "auto" }, "filterable": true, "inspect": false }, "mappings": [], "thresholds": { "mode": "absolute", "steps": [ { "color": "green" } ] } }, "overrides": [] }, "gridPos": { "h": 10, "w": 12, "x": 0, "y": 32 }, "id": 13, "options": { "cellHeight": "sm", "footer": { "countRows": false, "fields": "", "reducer": [ "sum" ], "show": false }, "showHeader": true }, "pluginVersion": "10.2.0", "targets": [ { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "editorMode": "code", "expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": session opened for\" | pattern `<_> session opened for user (` | username !~\".* by \" | __error__=\"\"", "hide": false, "queryType": "range", "refId": "A" }, { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "editorMode": "code", "expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": session opened for\" | pattern `<_> session opened for user <_>` | username !~\".*(uid=.*)\" | __error__=\"\"", "hide": false, "queryType": "range", "refId": "B" } ], "title": "SSH Session Opened by User", "transformations": [ { "id": "merge", "options": {} }, { "id": "extractFields", "options": { "format": "auto", "replace": false, "source": "labels" } }, { "id": "organize", "options": { "excludeByName": { "Line": true, "env": true, "filename": true, "id": true, "job": true, "labels": true, "tsNs": true }, "indexByName": {}, "renameByName": { "Time": "", "env": "", "instance": "", "job": "", "tsNs": "" } } }, { "id": "sortBy", "options": { "fields": {}, "sort": [ { "desc": true, "field": "Time" } ] } } ], "type": "table" }, { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "fieldConfig": { "defaults": { "color": { "mode": "thresholds" }, "custom": { "align": "auto", "cellOptions": { "type": "auto" }, "filterable": true, "inspect": false }, "mappings": [], "thresholds": { "mode": "absolute", "steps": [ { "color": "green" } ] } }, "overrides": [] }, "gridPos": { "h": 10, "w": 12, "x": 12, "y": 32 }, "id": 14, "options": { "cellHeight": "sm", "footer": { "countRows": false, "fields": "", "reducer": [ "sum" ], "show": false }, "showHeader": true }, "pluginVersion": "10.2.0", "targets": [ { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "editorMode": "code", "expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Invalid|: Connection closed by authenticating user|: Failed .* user\" | pattern `<_> user <_> port` | __error__=\"\"", "hide": false, "queryType": "range", "refId": "A" }, { "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "editorMode": "code", "expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": Failed\" !~\"invalid user\" | pattern `<_> for from <_> port` | __error__=\"\"", "hide": false, "queryType": "range", "refId": "B" } ], "title": "SSH Failure by User", "transformations": [ { "id": "merge", "options": {} }, { "id": "extractFields", "options": { "format": "auto", "replace": false, "source": "labels" } }, { "id": "organize", "options": { "excludeByName": { "Line": true, "env": true, "filename": true, "id": true, "job": true, "labels": true, "tsNs": true }, "indexByName": {}, "renameByName": { "Time": "", "env": "", "instance": "", "job": "", "tsNs": "" } } }, { "id": "sortBy", "options": { "fields": {}, "sort": [ { "desc": true, "field": "Time" } ] } } ], "type": "table" } ], "refresh": "", "revision": 2, "schemaVersion": 38, "tags": [ "loki", "linux", "ssh" ], "templating": { "list": [ { "current": { "selected": false, "text": "locker98", "value": "locker98" }, "datasource": { "type": "loki", "uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f" }, "definition": "", "hide": 0, "includeAll": false, "label": "host", "multi": false, "name": "host", "options": [], "query": { "label": "host", "refId": "LokiVariableQueryEditor-VariableQuery", "stream": "{filename=\"/var/log/auth.log\"}", "type": 1 }, "refresh": 1, "regex": "", "skipUrlSync": false, "sort": 0, "type": "query" } ] }, "time": { "from": "now-24h", "to": "now" }, "timepicker": {}, "timezone": "", "title": "SSH Logs", "uid": "OMEuTfqVk", "version": 14, "weekStart": "" }