grafana_dashboards/SSH Logs-1699113915973.json
2023-11-04 16:07:09 +00:00

1443 lines
36 KiB
JSON

{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"target": {
"limit": 100,
"matchAny": false,
"tags": [],
"type": "dashboard"
},
"type": "dashboard"
}
]
},
"description": "Loki v2 SSH Logs",
"editable": true,
"fiscalYearStartMonth": 0,
"gnetId": 17514,
"graphTooltip": 0,
"id": 1,
"links": [],
"liveNow": false,
"panels": [
{
"collapsed": false,
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 0
},
"id": 5,
"panels": [],
"title": "SSH - Total Stats",
"type": "row"
},
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"description": "",
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [
{
"options": {
"match": "null",
"result": {
"index": 0,
"text": "0"
}
},
"type": "special"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "purple",
"value": null
}
]
},
"unit": "short"
},
"overrides": []
},
"gridPos": {
"h": 4,
"w": 6,
"x": 0,
"y": 1
},
"id": 2,
"options": {
"colorMode": "background",
"graphMode": "none",
"justifyMode": "center",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"sum"
],
"fields": "",
"values": false
},
"textMode": "auto"
},
"pluginVersion": "10.2.0",
"targets": [
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"editorMode": "code",
"expr": "sum by(instance) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": session opened for\" | __error__=\"\" [$__interval]))",
"queryType": "range",
"refId": "A"
}
],
"title": "Total Opened Connection",
"type": "stat"
},
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"description": "",
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [
{
"options": {
"match": "null",
"result": {
"index": 0,
"text": "0"
}
},
"type": "special"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "purple",
"value": null
},
{
"color": "red",
"value": 1
}
]
},
"unit": "short"
},
"overrides": []
},
"gridPos": {
"h": 4,
"w": 3,
"x": 6,
"y": 1
},
"id": 3,
"options": {
"colorMode": "background",
"graphMode": "none",
"justifyMode": "center",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"sum"
],
"fields": "",
"values": false
},
"textMode": "auto"
},
"pluginVersion": "10.2.0",
"targets": [
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"editorMode": "code",
"expr": "sum by(instance) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Failed|: Invalid|: Connection closed by authenticating user\" | __error__=\"\" [$__interval]))",
"hide": false,
"queryType": "range",
"refId": "A"
}
],
"title": "Total Failed Connection",
"transformations": [
{
"id": "merge",
"options": {}
}
],
"type": "stat"
},
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"fieldConfig": {
"defaults": {
"mappings": [
{
"options": {
"match": "null",
"result": {
"index": 0,
"text": "0"
}
},
"type": "special"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "purple",
"value": null
},
{
"color": "red",
"value": 1
}
]
},
"unit": "short"
},
"overrides": []
},
"gridPos": {
"h": 4,
"w": 3,
"x": 9,
"y": 1
},
"id": 21,
"options": {
"colorMode": "background",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"count"
],
"fields": "/^IP$/",
"values": false
},
"textMode": "auto"
},
"pluginVersion": "10.2.0",
"targets": [
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"editorMode": "code",
"expr": "count by (ip) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Invalid|: Connection closed by authenticating user|: Failed\" |~\".* from .*\" | pattern `<_> from <ip> port` | __error__=\"\" [$__interval]))",
"hide": false,
"legendFormat": "{{ ip }}",
"queryType": "range",
"refId": "A",
"resolution": 1
},
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"editorMode": "code",
"expr": "count by (ip) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Invalid|: Connection closed by authenticating user|: Failed\" !~\".* from .*\" | pattern `<_> user <_> <ip> port` | __error__=\"\" [$__interval]))",
"hide": false,
"legendFormat": "{{ ip }}",
"queryType": "range",
"refId": "B"
}
],
"title": "Total Failed - Unique IP",
"transformations": [
{
"id": "labelsToFields",
"options": {
"mode": "rows",
"valueLabel": "ip"
}
},
{
"id": "merge",
"options": {}
},
{
"id": "organize",
"options": {
"excludeByName": {
"178.40.119.51": false,
"194.154.240.221": false,
"label": true
},
"indexByName": {},
"renameByName": {
"value": "IP"
}
}
}
],
"type": "stat"
},
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"description": "",
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [
{
"options": {
"match": "null",
"result": {
"index": 0,
"text": "0"
}
},
"type": "special"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "orange",
"value": null
}
]
},
"unit": "short"
},
"overrides": []
},
"gridPos": {
"h": 4,
"w": 3,
"x": 12,
"y": 1
},
"id": 6,
"options": {
"colorMode": "background",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"sum"
],
"fields": "",
"values": false
},
"textMode": "auto"
},
"pluginVersion": "10.2.0",
"targets": [
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"editorMode": "code",
"expr": "count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" | drop geoip_city_name, geoip_continent_code, geoip_continent_name, geoip_country_name, geoip_location_latitude, geoip_location_longitude, geoip_postal_code, geoip_subdivision_code, geoip_subdivision_name, geoip_timezone, ip | __error__=\"\" [$__interval])",
"queryType": "range",
"refId": "A"
}
],
"title": "SSH Log Lines",
"transformations": [
{
"id": "concatenate",
"options": {
"frameNameLabel": "frame",
"frameNameMode": "field"
}
}
],
"type": "stat"
},
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"description": "",
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [
{
"options": {
"match": "null",
"result": {
"index": 0,
"text": "0"
}
},
"type": "special"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "orange",
"value": null
}
]
},
"unit": "decbytes"
},
"overrides": []
},
"gridPos": {
"h": 4,
"w": 3,
"x": 15,
"y": 1
},
"id": 7,
"options": {
"colorMode": "background",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"sum"
],
"fields": "",
"values": false
},
"textMode": "auto"
},
"pluginVersion": "10.2.0",
"targets": [
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"editorMode": "code",
"expr": "bytes_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" | drop geoip_city_name, geoip_continent_code, geoip_continent_name, geoip_country_name, geoip_location_latitude, geoip_location_longitude, geoip_postal_code, geoip_subdivision_code, geoip_subdivision_name, geoip_timezone, ip | __error__=\"\" [$__interval])",
"queryType": "range",
"refId": "A"
}
],
"title": "SSH Log in bytes",
"type": "stat"
},
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
}
},
"mappings": []
},
"overrides": []
},
"gridPos": {
"h": 9,
"w": 6,
"x": 0,
"y": 5
},
"id": 15,
"options": {
"displayLabels": [],
"legend": {
"displayMode": "table",
"placement": "right",
"showLegend": true,
"values": [
"value",
"percent"
]
},
"pieType": "donut",
"reduceOptions": {
"calcs": [
"sum"
],
"fields": "",
"values": false
},
"tooltip": {
"mode": "multi",
"sort": "none"
}
},
"pluginVersion": "9.2.5",
"targets": [
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"editorMode": "code",
"expr": "sum by (username) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": session opened for\" | pattern `<_> session opened for user <username>(` | username !~\".* by \" | __error__=\"\" [$__interval]))",
"hide": false,
"legendFormat": "{{ username }}",
"queryType": "range",
"refId": "A"
},
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"editorMode": "code",
"expr": "sum by (username) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": session opened for\" | pattern `<_> session opened for user <username> <_>` | username !~\".*(uid=.*)\" | __error__=\"\" [$__interval]))",
"hide": false,
"legendFormat": "{{ username }}",
"queryType": "range",
"refId": "B"
}
],
"title": "Session Opened by User",
"transformations": [],
"type": "piechart"
},
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
}
},
"mappings": []
},
"overrides": []
},
"gridPos": {
"h": 9,
"w": 6,
"x": 6,
"y": 5
},
"id": 16,
"options": {
"displayLabels": [],
"legend": {
"displayMode": "table",
"placement": "bottom",
"showLegend": true,
"values": [
"value",
"percent"
]
},
"pieType": "donut",
"reduceOptions": {
"calcs": [
"sum"
],
"fields": "",
"values": false
},
"tooltip": {
"mode": "multi",
"sort": "none"
}
},
"pluginVersion": "9.2.5",
"targets": [
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"editorMode": "code",
"expr": "sum by (username) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Invalid|: Connection closed by authenticating user|: Failed .* user\" | pattern `<_> user <username> <_> port` | __error__=\"\" [$__interval]))",
"hide": false,
"legendFormat": "{{ username }}",
"queryType": "range",
"refId": "A"
},
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"editorMode": "code",
"expr": "sum by (username) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": Failed\" !~\"invalid user\" | pattern `<_> for <username> from <_> port` | __error__=\"\" [$__interval]))",
"hide": false,
"legendFormat": "{{ username }}",
"queryType": "range",
"refId": "B"
}
],
"title": "Failed Attempt by User",
"transformations": [
{
"id": "joinByLabels",
"options": {
"value": "username"
}
}
],
"type": "piechart"
},
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"gridPos": {
"h": 16,
"w": 12,
"x": 12,
"y": 5
},
"id": 9,
"options": {
"dedupStrategy": "signature",
"enableLogDetails": true,
"prettifyLogMessage": false,
"showCommonLabels": false,
"showLabels": false,
"showTime": false,
"sortOrder": "Descending",
"wrapLogMessage": false
},
"targets": [
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"editorMode": "code",
"expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |= `sshd[` != `pam` |= `from`",
"queryType": "range",
"refId": "A"
}
],
"title": "SSH Recent Log",
"type": "logs"
},
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"fieldConfig": {
"defaults": {
"custom": {
"align": "auto",
"cellOptions": {
"type": "auto"
},
"filterable": true,
"inspect": false
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
}
},
"overrides": []
},
"gridPos": {
"h": 7,
"w": 6,
"x": 0,
"y": 14
},
"id": 22,
"options": {
"cellHeight": "sm",
"footer": {
"countRows": false,
"fields": "",
"reducer": [
"sum"
],
"show": false
},
"frameIndex": 0,
"showHeader": true
},
"pluginVersion": "10.2.0",
"targets": [
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"editorMode": "code",
"expr": "count by (ip) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": Accepted\" | pattern `<_> Accepted <_> for <_> from <ip> port <_>` | __error__=\"\" [$__interval]))",
"hide": false,
"legendFormat": "{{ ip }}",
"queryType": "range",
"refId": "A",
"resolution": 1
}
],
"title": "Session Opened by Unique IP",
"transformations": [
{
"id": "labelsToFields",
"options": {
"mode": "rows"
}
},
{
"id": "merge",
"options": {}
},
{
"id": "organize",
"options": {
"excludeByName": {
"label": true
},
"indexByName": {},
"renameByName": {
"value": "IP"
}
}
}
],
"type": "table"
},
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"fieldConfig": {
"defaults": {
"custom": {
"align": "auto",
"cellOptions": {
"type": "auto"
},
"filterable": true,
"inspect": false
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
}
},
"overrides": []
},
"gridPos": {
"h": 7,
"w": 6,
"x": 6,
"y": 14
},
"id": 19,
"options": {
"cellHeight": "sm",
"footer": {
"countRows": false,
"fields": "",
"reducer": [
"sum"
],
"show": false
},
"frameIndex": 0,
"showHeader": true
},
"pluginVersion": "10.2.0",
"targets": [
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"editorMode": "code",
"expr": "count by (ip) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Invalid|: Connection closed by authenticating user|: Failed\" |~\".* from .*\" | pattern `<_> from <ip> port` | __error__=\"\" [$__interval]))",
"hide": false,
"legendFormat": "{{ ip }}",
"queryType": "range",
"refId": "A",
"resolution": 1
},
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"editorMode": "code",
"expr": "count by (ip) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Invalid|: Connection closed by authenticating user|: Failed\" !~\".* from .*\" | pattern `<_> user <_> <ip> port` | __error__=\"\" [$__interval]))",
"hide": false,
"legendFormat": "{{ ip }}",
"queryType": "range",
"refId": "B"
}
],
"title": "Failed by Unique IP",
"transformations": [
{
"id": "labelsToFields",
"options": {
"mode": "rows"
}
},
{
"id": "merge",
"options": {}
},
{
"id": "organize",
"options": {
"excludeByName": {
"label": true
},
"indexByName": {},
"renameByName": {
"value": "IP"
}
}
}
],
"type": "table"
},
{
"collapsed": false,
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 21
},
"id": 11,
"panels": [],
"title": "Detailed Stats",
"type": "row"
},
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"fieldConfig": {
"defaults": {
"custom": {
"align": "auto",
"cellOptions": {
"type": "auto"
},
"filterable": true,
"inspect": false
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
}
},
"overrides": []
},
"gridPos": {
"h": 10,
"w": 12,
"x": 0,
"y": 22
},
"id": 20,
"maxDataPoints": 1,
"options": {
"cellHeight": "sm",
"footer": {
"countRows": false,
"fields": "",
"reducer": [
"sum"
],
"show": false
},
"showHeader": true
},
"pluginVersion": "10.2.0",
"targets": [
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"editorMode": "code",
"expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": Accepted\" | pattern `<_> Accepted <_> for <username> from <ip> port <_>` | __error__=\"\"",
"hide": false,
"legendFormat": "{{ ip }} {{ username }}",
"queryType": "range",
"refId": "A",
"resolution": 1
}
],
"title": "Session Opened by User and IP",
"transformations": [
{
"id": "merge",
"options": {}
},
{
"id": "extractFields",
"options": {
"format": "auto",
"replace": false,
"source": "labels"
}
},
{
"id": "organize",
"options": {
"excludeByName": {
"Line": true,
"Time": false,
"env": true,
"filename": true,
"id": true,
"job": true,
"label": true,
"labels": true,
"tsNs": true
},
"indexByName": {},
"renameByName": {
"label": "",
"value": ""
}
}
},
{
"id": "sortBy",
"options": {
"fields": {},
"sort": [
{
"desc": true,
"field": "Time"
}
]
}
}
],
"type": "table"
},
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"custom": {
"align": "auto",
"cellOptions": {
"type": "auto"
},
"filterable": true,
"inspect": false
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
}
},
"overrides": []
},
"gridPos": {
"h": 10,
"w": 12,
"x": 12,
"y": 22
},
"id": 23,
"options": {
"cellHeight": "sm",
"footer": {
"countRows": false,
"fields": "",
"reducer": [
"sum"
],
"show": false
},
"showHeader": true
},
"pluginVersion": "10.2.0",
"targets": [
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"editorMode": "code",
"expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Invalid|: Failed .* user\" | pattern `<_> user <username> from <ip> <_> port` | __error__=\"\"",
"hide": false,
"queryType": "range",
"refId": "A"
},
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"editorMode": "code",
"expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": Failed\" !~\"invalid user\" | pattern `<_> for <username> from <ip> port` | __error__=\"\"",
"hide": false,
"queryType": "range",
"refId": "B"
},
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"editorMode": "code",
"expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": Connection closed by authenticating user\" | pattern `<_> user <username> <ip> port` | __error__=\"\"",
"hide": false,
"queryType": "range",
"refId": "C"
}
],
"title": "SSH Failure by User and IP",
"transformations": [
{
"id": "merge",
"options": {}
},
{
"id": "extractFields",
"options": {
"format": "auto",
"replace": false,
"source": "labels"
}
},
{
"id": "organize",
"options": {
"excludeByName": {
"Line": true,
"env": true,
"filename": true,
"id": true,
"job": true,
"labels": true,
"tsNs": true
},
"indexByName": {},
"renameByName": {
"Time": "",
"env": "",
"instance": "",
"job": "",
"tsNs": ""
}
}
},
{
"id": "sortBy",
"options": {
"fields": {},
"sort": [
{
"desc": true,
"field": "Time"
}
]
}
}
],
"type": "table"
},
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"custom": {
"align": "auto",
"cellOptions": {
"type": "auto"
},
"filterable": true,
"inspect": false
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green"
}
]
}
},
"overrides": []
},
"gridPos": {
"h": 10,
"w": 12,
"x": 0,
"y": 32
},
"id": 13,
"options": {
"cellHeight": "sm",
"footer": {
"countRows": false,
"fields": "",
"reducer": [
"sum"
],
"show": false
},
"showHeader": true
},
"pluginVersion": "10.2.0",
"targets": [
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"editorMode": "code",
"expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": session opened for\" | pattern `<_> session opened for user <username>(` | username !~\".* by \" | __error__=\"\"",
"hide": false,
"queryType": "range",
"refId": "A"
},
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"editorMode": "code",
"expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": session opened for\" | pattern `<_> session opened for user <username> <_>` | username !~\".*(uid=.*)\" | __error__=\"\"",
"hide": false,
"queryType": "range",
"refId": "B"
}
],
"title": "SSH Session Opened by User",
"transformations": [
{
"id": "merge",
"options": {}
},
{
"id": "extractFields",
"options": {
"format": "auto",
"replace": false,
"source": "labels"
}
},
{
"id": "organize",
"options": {
"excludeByName": {
"Line": true,
"env": true,
"filename": true,
"id": true,
"job": true,
"labels": true,
"tsNs": true
},
"indexByName": {},
"renameByName": {
"Time": "",
"env": "",
"instance": "",
"job": "",
"tsNs": ""
}
}
},
{
"id": "sortBy",
"options": {
"fields": {},
"sort": [
{
"desc": true,
"field": "Time"
}
]
}
}
],
"type": "table"
},
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"custom": {
"align": "auto",
"cellOptions": {
"type": "auto"
},
"filterable": true,
"inspect": false
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green"
}
]
}
},
"overrides": []
},
"gridPos": {
"h": 10,
"w": 12,
"x": 12,
"y": 32
},
"id": 14,
"options": {
"cellHeight": "sm",
"footer": {
"countRows": false,
"fields": "",
"reducer": [
"sum"
],
"show": false
},
"showHeader": true
},
"pluginVersion": "10.2.0",
"targets": [
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"editorMode": "code",
"expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Invalid|: Connection closed by authenticating user|: Failed .* user\" | pattern `<_> user <username> <_> port` | __error__=\"\"",
"hide": false,
"queryType": "range",
"refId": "A"
},
{
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"editorMode": "code",
"expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": Failed\" !~\"invalid user\" | pattern `<_> for <username> from <_> port` | __error__=\"\"",
"hide": false,
"queryType": "range",
"refId": "B"
}
],
"title": "SSH Failure by User",
"transformations": [
{
"id": "merge",
"options": {}
},
{
"id": "extractFields",
"options": {
"format": "auto",
"replace": false,
"source": "labels"
}
},
{
"id": "organize",
"options": {
"excludeByName": {
"Line": true,
"env": true,
"filename": true,
"id": true,
"job": true,
"labels": true,
"tsNs": true
},
"indexByName": {},
"renameByName": {
"Time": "",
"env": "",
"instance": "",
"job": "",
"tsNs": ""
}
}
},
{
"id": "sortBy",
"options": {
"fields": {},
"sort": [
{
"desc": true,
"field": "Time"
}
]
}
}
],
"type": "table"
}
],
"refresh": "",
"revision": 2,
"schemaVersion": 38,
"tags": [
"loki",
"linux",
"ssh"
],
"templating": {
"list": [
{
"current": {
"selected": false,
"text": "locker98",
"value": "locker98"
},
"datasource": {
"type": "loki",
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
},
"definition": "",
"hide": 0,
"includeAll": false,
"label": "host",
"multi": false,
"name": "host",
"options": [],
"query": {
"label": "host",
"refId": "LokiVariableQueryEditor-VariableQuery",
"stream": "{filename=\"/var/log/auth.log\"}",
"type": 1
},
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"sort": 0,
"type": "query"
}
]
},
"time": {
"from": "now-24h",
"to": "now"
},
"timepicker": {},
"timezone": "",
"title": "SSH Logs",
"uid": "OMEuTfqVk",
"version": 14,
"weekStart": ""
}