1443 lines
36 KiB
JSON
1443 lines
36 KiB
JSON
{
|
|
"annotations": {
|
|
"list": [
|
|
{
|
|
"builtIn": 1,
|
|
"datasource": {
|
|
"type": "grafana",
|
|
"uid": "-- Grafana --"
|
|
},
|
|
"enable": true,
|
|
"hide": true,
|
|
"iconColor": "rgba(0, 211, 255, 1)",
|
|
"name": "Annotations & Alerts",
|
|
"target": {
|
|
"limit": 100,
|
|
"matchAny": false,
|
|
"tags": [],
|
|
"type": "dashboard"
|
|
},
|
|
"type": "dashboard"
|
|
}
|
|
]
|
|
},
|
|
"description": "Loki v2 SSH Logs",
|
|
"editable": true,
|
|
"fiscalYearStartMonth": 0,
|
|
"gnetId": 17514,
|
|
"graphTooltip": 0,
|
|
"id": 1,
|
|
"links": [],
|
|
"liveNow": false,
|
|
"panels": [
|
|
{
|
|
"collapsed": false,
|
|
"gridPos": {
|
|
"h": 1,
|
|
"w": 24,
|
|
"x": 0,
|
|
"y": 0
|
|
},
|
|
"id": 5,
|
|
"panels": [],
|
|
"title": "SSH - Total Stats",
|
|
"type": "row"
|
|
},
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"description": "",
|
|
"fieldConfig": {
|
|
"defaults": {
|
|
"color": {
|
|
"mode": "thresholds"
|
|
},
|
|
"mappings": [
|
|
{
|
|
"options": {
|
|
"match": "null",
|
|
"result": {
|
|
"index": 0,
|
|
"text": "0"
|
|
}
|
|
},
|
|
"type": "special"
|
|
}
|
|
],
|
|
"thresholds": {
|
|
"mode": "absolute",
|
|
"steps": [
|
|
{
|
|
"color": "purple",
|
|
"value": null
|
|
}
|
|
]
|
|
},
|
|
"unit": "short"
|
|
},
|
|
"overrides": []
|
|
},
|
|
"gridPos": {
|
|
"h": 4,
|
|
"w": 6,
|
|
"x": 0,
|
|
"y": 1
|
|
},
|
|
"id": 2,
|
|
"options": {
|
|
"colorMode": "background",
|
|
"graphMode": "none",
|
|
"justifyMode": "center",
|
|
"orientation": "auto",
|
|
"reduceOptions": {
|
|
"calcs": [
|
|
"sum"
|
|
],
|
|
"fields": "",
|
|
"values": false
|
|
},
|
|
"textMode": "auto"
|
|
},
|
|
"pluginVersion": "10.2.0",
|
|
"targets": [
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"editorMode": "code",
|
|
"expr": "sum by(instance) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": session opened for\" | __error__=\"\" [$__interval]))",
|
|
"queryType": "range",
|
|
"refId": "A"
|
|
}
|
|
],
|
|
"title": "Total Opened Connection",
|
|
"type": "stat"
|
|
},
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"description": "",
|
|
"fieldConfig": {
|
|
"defaults": {
|
|
"color": {
|
|
"mode": "thresholds"
|
|
},
|
|
"mappings": [
|
|
{
|
|
"options": {
|
|
"match": "null",
|
|
"result": {
|
|
"index": 0,
|
|
"text": "0"
|
|
}
|
|
},
|
|
"type": "special"
|
|
}
|
|
],
|
|
"thresholds": {
|
|
"mode": "absolute",
|
|
"steps": [
|
|
{
|
|
"color": "purple",
|
|
"value": null
|
|
},
|
|
{
|
|
"color": "red",
|
|
"value": 1
|
|
}
|
|
]
|
|
},
|
|
"unit": "short"
|
|
},
|
|
"overrides": []
|
|
},
|
|
"gridPos": {
|
|
"h": 4,
|
|
"w": 3,
|
|
"x": 6,
|
|
"y": 1
|
|
},
|
|
"id": 3,
|
|
"options": {
|
|
"colorMode": "background",
|
|
"graphMode": "none",
|
|
"justifyMode": "center",
|
|
"orientation": "auto",
|
|
"reduceOptions": {
|
|
"calcs": [
|
|
"sum"
|
|
],
|
|
"fields": "",
|
|
"values": false
|
|
},
|
|
"textMode": "auto"
|
|
},
|
|
"pluginVersion": "10.2.0",
|
|
"targets": [
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"editorMode": "code",
|
|
"expr": "sum by(instance) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Failed|: Invalid|: Connection closed by authenticating user\" | __error__=\"\" [$__interval]))",
|
|
"hide": false,
|
|
"queryType": "range",
|
|
"refId": "A"
|
|
}
|
|
],
|
|
"title": "Total Failed Connection",
|
|
"transformations": [
|
|
{
|
|
"id": "merge",
|
|
"options": {}
|
|
}
|
|
],
|
|
"type": "stat"
|
|
},
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"fieldConfig": {
|
|
"defaults": {
|
|
"mappings": [
|
|
{
|
|
"options": {
|
|
"match": "null",
|
|
"result": {
|
|
"index": 0,
|
|
"text": "0"
|
|
}
|
|
},
|
|
"type": "special"
|
|
}
|
|
],
|
|
"thresholds": {
|
|
"mode": "absolute",
|
|
"steps": [
|
|
{
|
|
"color": "purple",
|
|
"value": null
|
|
},
|
|
{
|
|
"color": "red",
|
|
"value": 1
|
|
}
|
|
]
|
|
},
|
|
"unit": "short"
|
|
},
|
|
"overrides": []
|
|
},
|
|
"gridPos": {
|
|
"h": 4,
|
|
"w": 3,
|
|
"x": 9,
|
|
"y": 1
|
|
},
|
|
"id": 21,
|
|
"options": {
|
|
"colorMode": "background",
|
|
"graphMode": "none",
|
|
"justifyMode": "auto",
|
|
"orientation": "auto",
|
|
"reduceOptions": {
|
|
"calcs": [
|
|
"count"
|
|
],
|
|
"fields": "/^IP$/",
|
|
"values": false
|
|
},
|
|
"textMode": "auto"
|
|
},
|
|
"pluginVersion": "10.2.0",
|
|
"targets": [
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"editorMode": "code",
|
|
"expr": "count by (ip) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Invalid|: Connection closed by authenticating user|: Failed\" |~\".* from .*\" | pattern `<_> from <ip> port` | __error__=\"\" [$__interval]))",
|
|
"hide": false,
|
|
"legendFormat": "{{ ip }}",
|
|
"queryType": "range",
|
|
"refId": "A",
|
|
"resolution": 1
|
|
},
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"editorMode": "code",
|
|
"expr": "count by (ip) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Invalid|: Connection closed by authenticating user|: Failed\" !~\".* from .*\" | pattern `<_> user <_> <ip> port` | __error__=\"\" [$__interval]))",
|
|
"hide": false,
|
|
"legendFormat": "{{ ip }}",
|
|
"queryType": "range",
|
|
"refId": "B"
|
|
}
|
|
],
|
|
"title": "Total Failed - Unique IP",
|
|
"transformations": [
|
|
{
|
|
"id": "labelsToFields",
|
|
"options": {
|
|
"mode": "rows",
|
|
"valueLabel": "ip"
|
|
}
|
|
},
|
|
{
|
|
"id": "merge",
|
|
"options": {}
|
|
},
|
|
{
|
|
"id": "organize",
|
|
"options": {
|
|
"excludeByName": {
|
|
"178.40.119.51": false,
|
|
"194.154.240.221": false,
|
|
"label": true
|
|
},
|
|
"indexByName": {},
|
|
"renameByName": {
|
|
"value": "IP"
|
|
}
|
|
}
|
|
}
|
|
],
|
|
"type": "stat"
|
|
},
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"description": "",
|
|
"fieldConfig": {
|
|
"defaults": {
|
|
"color": {
|
|
"mode": "thresholds"
|
|
},
|
|
"mappings": [
|
|
{
|
|
"options": {
|
|
"match": "null",
|
|
"result": {
|
|
"index": 0,
|
|
"text": "0"
|
|
}
|
|
},
|
|
"type": "special"
|
|
}
|
|
],
|
|
"thresholds": {
|
|
"mode": "absolute",
|
|
"steps": [
|
|
{
|
|
"color": "orange",
|
|
"value": null
|
|
}
|
|
]
|
|
},
|
|
"unit": "short"
|
|
},
|
|
"overrides": []
|
|
},
|
|
"gridPos": {
|
|
"h": 4,
|
|
"w": 3,
|
|
"x": 12,
|
|
"y": 1
|
|
},
|
|
"id": 6,
|
|
"options": {
|
|
"colorMode": "background",
|
|
"graphMode": "none",
|
|
"justifyMode": "auto",
|
|
"orientation": "auto",
|
|
"reduceOptions": {
|
|
"calcs": [
|
|
"sum"
|
|
],
|
|
"fields": "",
|
|
"values": false
|
|
},
|
|
"textMode": "auto"
|
|
},
|
|
"pluginVersion": "10.2.0",
|
|
"targets": [
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"editorMode": "code",
|
|
"expr": "count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" | drop geoip_city_name, geoip_continent_code, geoip_continent_name, geoip_country_name, geoip_location_latitude, geoip_location_longitude, geoip_postal_code, geoip_subdivision_code, geoip_subdivision_name, geoip_timezone, ip | __error__=\"\" [$__interval])",
|
|
"queryType": "range",
|
|
"refId": "A"
|
|
}
|
|
],
|
|
"title": "SSH Log Lines",
|
|
"transformations": [
|
|
{
|
|
"id": "concatenate",
|
|
"options": {
|
|
"frameNameLabel": "frame",
|
|
"frameNameMode": "field"
|
|
}
|
|
}
|
|
],
|
|
"type": "stat"
|
|
},
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"description": "",
|
|
"fieldConfig": {
|
|
"defaults": {
|
|
"color": {
|
|
"mode": "thresholds"
|
|
},
|
|
"mappings": [
|
|
{
|
|
"options": {
|
|
"match": "null",
|
|
"result": {
|
|
"index": 0,
|
|
"text": "0"
|
|
}
|
|
},
|
|
"type": "special"
|
|
}
|
|
],
|
|
"thresholds": {
|
|
"mode": "absolute",
|
|
"steps": [
|
|
{
|
|
"color": "orange",
|
|
"value": null
|
|
}
|
|
]
|
|
},
|
|
"unit": "decbytes"
|
|
},
|
|
"overrides": []
|
|
},
|
|
"gridPos": {
|
|
"h": 4,
|
|
"w": 3,
|
|
"x": 15,
|
|
"y": 1
|
|
},
|
|
"id": 7,
|
|
"options": {
|
|
"colorMode": "background",
|
|
"graphMode": "none",
|
|
"justifyMode": "auto",
|
|
"orientation": "auto",
|
|
"reduceOptions": {
|
|
"calcs": [
|
|
"sum"
|
|
],
|
|
"fields": "",
|
|
"values": false
|
|
},
|
|
"textMode": "auto"
|
|
},
|
|
"pluginVersion": "10.2.0",
|
|
"targets": [
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"editorMode": "code",
|
|
"expr": "bytes_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" | drop geoip_city_name, geoip_continent_code, geoip_continent_name, geoip_country_name, geoip_location_latitude, geoip_location_longitude, geoip_postal_code, geoip_subdivision_code, geoip_subdivision_name, geoip_timezone, ip | __error__=\"\" [$__interval])",
|
|
"queryType": "range",
|
|
"refId": "A"
|
|
}
|
|
],
|
|
"title": "SSH Log in bytes",
|
|
"type": "stat"
|
|
},
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"fieldConfig": {
|
|
"defaults": {
|
|
"color": {
|
|
"mode": "palette-classic"
|
|
},
|
|
"custom": {
|
|
"hideFrom": {
|
|
"legend": false,
|
|
"tooltip": false,
|
|
"viz": false
|
|
}
|
|
},
|
|
"mappings": []
|
|
},
|
|
"overrides": []
|
|
},
|
|
"gridPos": {
|
|
"h": 9,
|
|
"w": 6,
|
|
"x": 0,
|
|
"y": 5
|
|
},
|
|
"id": 15,
|
|
"options": {
|
|
"displayLabels": [],
|
|
"legend": {
|
|
"displayMode": "table",
|
|
"placement": "right",
|
|
"showLegend": true,
|
|
"values": [
|
|
"value",
|
|
"percent"
|
|
]
|
|
},
|
|
"pieType": "donut",
|
|
"reduceOptions": {
|
|
"calcs": [
|
|
"sum"
|
|
],
|
|
"fields": "",
|
|
"values": false
|
|
},
|
|
"tooltip": {
|
|
"mode": "multi",
|
|
"sort": "none"
|
|
}
|
|
},
|
|
"pluginVersion": "9.2.5",
|
|
"targets": [
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"editorMode": "code",
|
|
"expr": "sum by (username) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": session opened for\" | pattern `<_> session opened for user <username>(` | username !~\".* by \" | __error__=\"\" [$__interval]))",
|
|
"hide": false,
|
|
"legendFormat": "{{ username }}",
|
|
"queryType": "range",
|
|
"refId": "A"
|
|
},
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"editorMode": "code",
|
|
"expr": "sum by (username) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": session opened for\" | pattern `<_> session opened for user <username> <_>` | username !~\".*(uid=.*)\" | __error__=\"\" [$__interval]))",
|
|
"hide": false,
|
|
"legendFormat": "{{ username }}",
|
|
"queryType": "range",
|
|
"refId": "B"
|
|
}
|
|
],
|
|
"title": "Session Opened by User",
|
|
"transformations": [],
|
|
"type": "piechart"
|
|
},
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"fieldConfig": {
|
|
"defaults": {
|
|
"color": {
|
|
"mode": "palette-classic"
|
|
},
|
|
"custom": {
|
|
"hideFrom": {
|
|
"legend": false,
|
|
"tooltip": false,
|
|
"viz": false
|
|
}
|
|
},
|
|
"mappings": []
|
|
},
|
|
"overrides": []
|
|
},
|
|
"gridPos": {
|
|
"h": 9,
|
|
"w": 6,
|
|
"x": 6,
|
|
"y": 5
|
|
},
|
|
"id": 16,
|
|
"options": {
|
|
"displayLabels": [],
|
|
"legend": {
|
|
"displayMode": "table",
|
|
"placement": "bottom",
|
|
"showLegend": true,
|
|
"values": [
|
|
"value",
|
|
"percent"
|
|
]
|
|
},
|
|
"pieType": "donut",
|
|
"reduceOptions": {
|
|
"calcs": [
|
|
"sum"
|
|
],
|
|
"fields": "",
|
|
"values": false
|
|
},
|
|
"tooltip": {
|
|
"mode": "multi",
|
|
"sort": "none"
|
|
}
|
|
},
|
|
"pluginVersion": "9.2.5",
|
|
"targets": [
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"editorMode": "code",
|
|
"expr": "sum by (username) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Invalid|: Connection closed by authenticating user|: Failed .* user\" | pattern `<_> user <username> <_> port` | __error__=\"\" [$__interval]))",
|
|
"hide": false,
|
|
"legendFormat": "{{ username }}",
|
|
"queryType": "range",
|
|
"refId": "A"
|
|
},
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"editorMode": "code",
|
|
"expr": "sum by (username) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": Failed\" !~\"invalid user\" | pattern `<_> for <username> from <_> port` | __error__=\"\" [$__interval]))",
|
|
"hide": false,
|
|
"legendFormat": "{{ username }}",
|
|
"queryType": "range",
|
|
"refId": "B"
|
|
}
|
|
],
|
|
"title": "Failed Attempt by User",
|
|
"transformations": [
|
|
{
|
|
"id": "joinByLabels",
|
|
"options": {
|
|
"value": "username"
|
|
}
|
|
}
|
|
],
|
|
"type": "piechart"
|
|
},
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"gridPos": {
|
|
"h": 16,
|
|
"w": 12,
|
|
"x": 12,
|
|
"y": 5
|
|
},
|
|
"id": 9,
|
|
"options": {
|
|
"dedupStrategy": "signature",
|
|
"enableLogDetails": true,
|
|
"prettifyLogMessage": false,
|
|
"showCommonLabels": false,
|
|
"showLabels": false,
|
|
"showTime": false,
|
|
"sortOrder": "Descending",
|
|
"wrapLogMessage": false
|
|
},
|
|
"targets": [
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"editorMode": "code",
|
|
"expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |= `sshd[` != `pam` |= `from`",
|
|
"queryType": "range",
|
|
"refId": "A"
|
|
}
|
|
],
|
|
"title": "SSH Recent Log",
|
|
"type": "logs"
|
|
},
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"fieldConfig": {
|
|
"defaults": {
|
|
"custom": {
|
|
"align": "auto",
|
|
"cellOptions": {
|
|
"type": "auto"
|
|
},
|
|
"filterable": true,
|
|
"inspect": false
|
|
},
|
|
"mappings": [],
|
|
"thresholds": {
|
|
"mode": "absolute",
|
|
"steps": [
|
|
{
|
|
"color": "green",
|
|
"value": null
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"overrides": []
|
|
},
|
|
"gridPos": {
|
|
"h": 7,
|
|
"w": 6,
|
|
"x": 0,
|
|
"y": 14
|
|
},
|
|
"id": 22,
|
|
"options": {
|
|
"cellHeight": "sm",
|
|
"footer": {
|
|
"countRows": false,
|
|
"fields": "",
|
|
"reducer": [
|
|
"sum"
|
|
],
|
|
"show": false
|
|
},
|
|
"frameIndex": 0,
|
|
"showHeader": true
|
|
},
|
|
"pluginVersion": "10.2.0",
|
|
"targets": [
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"editorMode": "code",
|
|
"expr": "count by (ip) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": Accepted\" | pattern `<_> Accepted <_> for <_> from <ip> port <_>` | __error__=\"\" [$__interval]))",
|
|
"hide": false,
|
|
"legendFormat": "{{ ip }}",
|
|
"queryType": "range",
|
|
"refId": "A",
|
|
"resolution": 1
|
|
}
|
|
],
|
|
"title": "Session Opened by Unique IP",
|
|
"transformations": [
|
|
{
|
|
"id": "labelsToFields",
|
|
"options": {
|
|
"mode": "rows"
|
|
}
|
|
},
|
|
{
|
|
"id": "merge",
|
|
"options": {}
|
|
},
|
|
{
|
|
"id": "organize",
|
|
"options": {
|
|
"excludeByName": {
|
|
"label": true
|
|
},
|
|
"indexByName": {},
|
|
"renameByName": {
|
|
"value": "IP"
|
|
}
|
|
}
|
|
}
|
|
],
|
|
"type": "table"
|
|
},
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"fieldConfig": {
|
|
"defaults": {
|
|
"custom": {
|
|
"align": "auto",
|
|
"cellOptions": {
|
|
"type": "auto"
|
|
},
|
|
"filterable": true,
|
|
"inspect": false
|
|
},
|
|
"mappings": [],
|
|
"thresholds": {
|
|
"mode": "absolute",
|
|
"steps": [
|
|
{
|
|
"color": "green",
|
|
"value": null
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"overrides": []
|
|
},
|
|
"gridPos": {
|
|
"h": 7,
|
|
"w": 6,
|
|
"x": 6,
|
|
"y": 14
|
|
},
|
|
"id": 19,
|
|
"options": {
|
|
"cellHeight": "sm",
|
|
"footer": {
|
|
"countRows": false,
|
|
"fields": "",
|
|
"reducer": [
|
|
"sum"
|
|
],
|
|
"show": false
|
|
},
|
|
"frameIndex": 0,
|
|
"showHeader": true
|
|
},
|
|
"pluginVersion": "10.2.0",
|
|
"targets": [
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"editorMode": "code",
|
|
"expr": "count by (ip) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Invalid|: Connection closed by authenticating user|: Failed\" |~\".* from .*\" | pattern `<_> from <ip> port` | __error__=\"\" [$__interval]))",
|
|
"hide": false,
|
|
"legendFormat": "{{ ip }}",
|
|
"queryType": "range",
|
|
"refId": "A",
|
|
"resolution": 1
|
|
},
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"editorMode": "code",
|
|
"expr": "count by (ip) (count_over_time({filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Invalid|: Connection closed by authenticating user|: Failed\" !~\".* from .*\" | pattern `<_> user <_> <ip> port` | __error__=\"\" [$__interval]))",
|
|
"hide": false,
|
|
"legendFormat": "{{ ip }}",
|
|
"queryType": "range",
|
|
"refId": "B"
|
|
}
|
|
],
|
|
"title": "Failed by Unique IP",
|
|
"transformations": [
|
|
{
|
|
"id": "labelsToFields",
|
|
"options": {
|
|
"mode": "rows"
|
|
}
|
|
},
|
|
{
|
|
"id": "merge",
|
|
"options": {}
|
|
},
|
|
{
|
|
"id": "organize",
|
|
"options": {
|
|
"excludeByName": {
|
|
"label": true
|
|
},
|
|
"indexByName": {},
|
|
"renameByName": {
|
|
"value": "IP"
|
|
}
|
|
}
|
|
}
|
|
],
|
|
"type": "table"
|
|
},
|
|
{
|
|
"collapsed": false,
|
|
"gridPos": {
|
|
"h": 1,
|
|
"w": 24,
|
|
"x": 0,
|
|
"y": 21
|
|
},
|
|
"id": 11,
|
|
"panels": [],
|
|
"title": "Detailed Stats",
|
|
"type": "row"
|
|
},
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"fieldConfig": {
|
|
"defaults": {
|
|
"custom": {
|
|
"align": "auto",
|
|
"cellOptions": {
|
|
"type": "auto"
|
|
},
|
|
"filterable": true,
|
|
"inspect": false
|
|
},
|
|
"mappings": [],
|
|
"thresholds": {
|
|
"mode": "absolute",
|
|
"steps": [
|
|
{
|
|
"color": "green",
|
|
"value": null
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"overrides": []
|
|
},
|
|
"gridPos": {
|
|
"h": 10,
|
|
"w": 12,
|
|
"x": 0,
|
|
"y": 22
|
|
},
|
|
"id": 20,
|
|
"maxDataPoints": 1,
|
|
"options": {
|
|
"cellHeight": "sm",
|
|
"footer": {
|
|
"countRows": false,
|
|
"fields": "",
|
|
"reducer": [
|
|
"sum"
|
|
],
|
|
"show": false
|
|
},
|
|
"showHeader": true
|
|
},
|
|
"pluginVersion": "10.2.0",
|
|
"targets": [
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"editorMode": "code",
|
|
"expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": Accepted\" | pattern `<_> Accepted <_> for <username> from <ip> port <_>` | __error__=\"\"",
|
|
"hide": false,
|
|
"legendFormat": "{{ ip }} {{ username }}",
|
|
"queryType": "range",
|
|
"refId": "A",
|
|
"resolution": 1
|
|
}
|
|
],
|
|
"title": "Session Opened by User and IP",
|
|
"transformations": [
|
|
{
|
|
"id": "merge",
|
|
"options": {}
|
|
},
|
|
{
|
|
"id": "extractFields",
|
|
"options": {
|
|
"format": "auto",
|
|
"replace": false,
|
|
"source": "labels"
|
|
}
|
|
},
|
|
{
|
|
"id": "organize",
|
|
"options": {
|
|
"excludeByName": {
|
|
"Line": true,
|
|
"Time": false,
|
|
"env": true,
|
|
"filename": true,
|
|
"id": true,
|
|
"job": true,
|
|
"label": true,
|
|
"labels": true,
|
|
"tsNs": true
|
|
},
|
|
"indexByName": {},
|
|
"renameByName": {
|
|
"label": "",
|
|
"value": ""
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"id": "sortBy",
|
|
"options": {
|
|
"fields": {},
|
|
"sort": [
|
|
{
|
|
"desc": true,
|
|
"field": "Time"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"type": "table"
|
|
},
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"fieldConfig": {
|
|
"defaults": {
|
|
"color": {
|
|
"mode": "thresholds"
|
|
},
|
|
"custom": {
|
|
"align": "auto",
|
|
"cellOptions": {
|
|
"type": "auto"
|
|
},
|
|
"filterable": true,
|
|
"inspect": false
|
|
},
|
|
"mappings": [],
|
|
"thresholds": {
|
|
"mode": "absolute",
|
|
"steps": [
|
|
{
|
|
"color": "green",
|
|
"value": null
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"overrides": []
|
|
},
|
|
"gridPos": {
|
|
"h": 10,
|
|
"w": 12,
|
|
"x": 12,
|
|
"y": 22
|
|
},
|
|
"id": 23,
|
|
"options": {
|
|
"cellHeight": "sm",
|
|
"footer": {
|
|
"countRows": false,
|
|
"fields": "",
|
|
"reducer": [
|
|
"sum"
|
|
],
|
|
"show": false
|
|
},
|
|
"showHeader": true
|
|
},
|
|
"pluginVersion": "10.2.0",
|
|
"targets": [
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"editorMode": "code",
|
|
"expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Invalid|: Failed .* user\" | pattern `<_> user <username> from <ip> <_> port` | __error__=\"\"",
|
|
"hide": false,
|
|
"queryType": "range",
|
|
"refId": "A"
|
|
},
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"editorMode": "code",
|
|
"expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": Failed\" !~\"invalid user\" | pattern `<_> for <username> from <ip> port` | __error__=\"\"",
|
|
"hide": false,
|
|
"queryType": "range",
|
|
"refId": "B"
|
|
},
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"editorMode": "code",
|
|
"expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": Connection closed by authenticating user\" | pattern `<_> user <username> <ip> port` | __error__=\"\"",
|
|
"hide": false,
|
|
"queryType": "range",
|
|
"refId": "C"
|
|
}
|
|
],
|
|
"title": "SSH Failure by User and IP",
|
|
"transformations": [
|
|
{
|
|
"id": "merge",
|
|
"options": {}
|
|
},
|
|
{
|
|
"id": "extractFields",
|
|
"options": {
|
|
"format": "auto",
|
|
"replace": false,
|
|
"source": "labels"
|
|
}
|
|
},
|
|
{
|
|
"id": "organize",
|
|
"options": {
|
|
"excludeByName": {
|
|
"Line": true,
|
|
"env": true,
|
|
"filename": true,
|
|
"id": true,
|
|
"job": true,
|
|
"labels": true,
|
|
"tsNs": true
|
|
},
|
|
"indexByName": {},
|
|
"renameByName": {
|
|
"Time": "",
|
|
"env": "",
|
|
"instance": "",
|
|
"job": "",
|
|
"tsNs": ""
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"id": "sortBy",
|
|
"options": {
|
|
"fields": {},
|
|
"sort": [
|
|
{
|
|
"desc": true,
|
|
"field": "Time"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"type": "table"
|
|
},
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"fieldConfig": {
|
|
"defaults": {
|
|
"color": {
|
|
"mode": "thresholds"
|
|
},
|
|
"custom": {
|
|
"align": "auto",
|
|
"cellOptions": {
|
|
"type": "auto"
|
|
},
|
|
"filterable": true,
|
|
"inspect": false
|
|
},
|
|
"mappings": [],
|
|
"thresholds": {
|
|
"mode": "absolute",
|
|
"steps": [
|
|
{
|
|
"color": "green"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"overrides": []
|
|
},
|
|
"gridPos": {
|
|
"h": 10,
|
|
"w": 12,
|
|
"x": 0,
|
|
"y": 32
|
|
},
|
|
"id": 13,
|
|
"options": {
|
|
"cellHeight": "sm",
|
|
"footer": {
|
|
"countRows": false,
|
|
"fields": "",
|
|
"reducer": [
|
|
"sum"
|
|
],
|
|
"show": false
|
|
},
|
|
"showHeader": true
|
|
},
|
|
"pluginVersion": "10.2.0",
|
|
"targets": [
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"editorMode": "code",
|
|
"expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": session opened for\" | pattern `<_> session opened for user <username>(` | username !~\".* by \" | __error__=\"\"",
|
|
"hide": false,
|
|
"queryType": "range",
|
|
"refId": "A"
|
|
},
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"editorMode": "code",
|
|
"expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": session opened for\" | pattern `<_> session opened for user <username> <_>` | username !~\".*(uid=.*)\" | __error__=\"\"",
|
|
"hide": false,
|
|
"queryType": "range",
|
|
"refId": "B"
|
|
}
|
|
],
|
|
"title": "SSH Session Opened by User",
|
|
"transformations": [
|
|
{
|
|
"id": "merge",
|
|
"options": {}
|
|
},
|
|
{
|
|
"id": "extractFields",
|
|
"options": {
|
|
"format": "auto",
|
|
"replace": false,
|
|
"source": "labels"
|
|
}
|
|
},
|
|
{
|
|
"id": "organize",
|
|
"options": {
|
|
"excludeByName": {
|
|
"Line": true,
|
|
"env": true,
|
|
"filename": true,
|
|
"id": true,
|
|
"job": true,
|
|
"labels": true,
|
|
"tsNs": true
|
|
},
|
|
"indexByName": {},
|
|
"renameByName": {
|
|
"Time": "",
|
|
"env": "",
|
|
"instance": "",
|
|
"job": "",
|
|
"tsNs": ""
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"id": "sortBy",
|
|
"options": {
|
|
"fields": {},
|
|
"sort": [
|
|
{
|
|
"desc": true,
|
|
"field": "Time"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"type": "table"
|
|
},
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"fieldConfig": {
|
|
"defaults": {
|
|
"color": {
|
|
"mode": "thresholds"
|
|
},
|
|
"custom": {
|
|
"align": "auto",
|
|
"cellOptions": {
|
|
"type": "auto"
|
|
},
|
|
"filterable": true,
|
|
"inspect": false
|
|
},
|
|
"mappings": [],
|
|
"thresholds": {
|
|
"mode": "absolute",
|
|
"steps": [
|
|
{
|
|
"color": "green"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"overrides": []
|
|
},
|
|
"gridPos": {
|
|
"h": 10,
|
|
"w": 12,
|
|
"x": 12,
|
|
"y": 32
|
|
},
|
|
"id": 14,
|
|
"options": {
|
|
"cellHeight": "sm",
|
|
"footer": {
|
|
"countRows": false,
|
|
"fields": "",
|
|
"reducer": [
|
|
"sum"
|
|
],
|
|
"show": false
|
|
},
|
|
"showHeader": true
|
|
},
|
|
"pluginVersion": "10.2.0",
|
|
"targets": [
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"editorMode": "code",
|
|
"expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |~\": Invalid|: Connection closed by authenticating user|: Failed .* user\" | pattern `<_> user <username> <_> port` | __error__=\"\"",
|
|
"hide": false,
|
|
"queryType": "range",
|
|
"refId": "A"
|
|
},
|
|
{
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"editorMode": "code",
|
|
"expr": "{filename=\"/var/log/auth.log\", host=\"$host\"} |=\"sshd[\" |=\": Failed\" !~\"invalid user\" | pattern `<_> for <username> from <_> port` | __error__=\"\"",
|
|
"hide": false,
|
|
"queryType": "range",
|
|
"refId": "B"
|
|
}
|
|
],
|
|
"title": "SSH Failure by User",
|
|
"transformations": [
|
|
{
|
|
"id": "merge",
|
|
"options": {}
|
|
},
|
|
{
|
|
"id": "extractFields",
|
|
"options": {
|
|
"format": "auto",
|
|
"replace": false,
|
|
"source": "labels"
|
|
}
|
|
},
|
|
{
|
|
"id": "organize",
|
|
"options": {
|
|
"excludeByName": {
|
|
"Line": true,
|
|
"env": true,
|
|
"filename": true,
|
|
"id": true,
|
|
"job": true,
|
|
"labels": true,
|
|
"tsNs": true
|
|
},
|
|
"indexByName": {},
|
|
"renameByName": {
|
|
"Time": "",
|
|
"env": "",
|
|
"instance": "",
|
|
"job": "",
|
|
"tsNs": ""
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"id": "sortBy",
|
|
"options": {
|
|
"fields": {},
|
|
"sort": [
|
|
{
|
|
"desc": true,
|
|
"field": "Time"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"type": "table"
|
|
}
|
|
],
|
|
"refresh": "",
|
|
"revision": 2,
|
|
"schemaVersion": 38,
|
|
"tags": [
|
|
"loki",
|
|
"linux",
|
|
"ssh"
|
|
],
|
|
"templating": {
|
|
"list": [
|
|
{
|
|
"current": {
|
|
"selected": false,
|
|
"text": "locker98",
|
|
"value": "locker98"
|
|
},
|
|
"datasource": {
|
|
"type": "loki",
|
|
"uid": "c0696081-8d61-4fbd-bde3-6510cbc6b07f"
|
|
},
|
|
"definition": "",
|
|
"hide": 0,
|
|
"includeAll": false,
|
|
"label": "host",
|
|
"multi": false,
|
|
"name": "host",
|
|
"options": [],
|
|
"query": {
|
|
"label": "host",
|
|
"refId": "LokiVariableQueryEditor-VariableQuery",
|
|
"stream": "{filename=\"/var/log/auth.log\"}",
|
|
"type": 1
|
|
},
|
|
"refresh": 1,
|
|
"regex": "",
|
|
"skipUrlSync": false,
|
|
"sort": 0,
|
|
"type": "query"
|
|
}
|
|
]
|
|
},
|
|
"time": {
|
|
"from": "now-24h",
|
|
"to": "now"
|
|
},
|
|
"timepicker": {},
|
|
"timezone": "",
|
|
"title": "SSH Logs",
|
|
"uid": "OMEuTfqVk",
|
|
"version": 14,
|
|
"weekStart": ""
|
|
} |