├── 6.16.15 Presentation - UCLA ELK Stack.pdf ├── nxlog.conf ├── README.md ├── topbeat.yml ├── kibana ├── packetbeat.yml ├── kibana-dashboards.json ├── LICENSE ├── Visualizations - All.json ├── filebeat.yml ├── logstash.conf ├── kibana-searches.json └── kibana-visualizations.json /6.16.15 Presentation - UCLA ELK Stack.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ucla-it-security/iso-elk-stack/HEAD/6.16.15 Presentation - UCLA ELK Stack.pdf -------------------------------------------------------------------------------- /nxlog.conf: -------------------------------------------------------------------------------- 1 | define ROOT C:\Program Files (x86)\nxlog 2 | 3 | Moduledir %ROOT%\modules 4 | CacheDir %ROOT%\data 5 | Pidfile %ROOT%\data\nxlog.pid 6 | SpoolDir %ROOT%\data 7 | LogFile %ROOT%\data\nxlog.log 8 | 9 | 10 | Module xm_json 11 | 12 | 13 | 14 | Module im_internal 15 | 16 | 17 | 18 | Module im_file 19 | File 'C:\Program Files (x86)\nxlog\data\nxlog.log' 20 | 21 | 22 | 23 | Module im_msvistalog 24 | Uncomment if you want only specific logs 25 | Query \ 26 | \ 27 | \ 28 | \ 29 | \ 30 | \ 31 | 32 | 33 | 34 | 35 | Module om_tcp 36 | Host your_elk_client_host_ip 37 | Port 3515 38 | 39 | 40 | 41 | Path internal, eventlog, log_mylog, log_nxlog => out 42 | 43 | 44 | # 45 | # Path file, eventlog, internal => logstash 46 | # 47 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | # ELK Stack 5.2.x 3 | ** This project will soon be transitioning to a new UCLA repo, under which a new security-focused ELK stack v5.0 will be launched. See https://github.com/UCLA-LBBP-Neuromodulation/UC-elk-stack-security.** 4 | 5 | # iso-elk-stack 6 | 7 | The UCLA Information Security Office customized an integration of Logstash, Elasticsearch, and Kibana (the "ELK stack") to extract security-specific information, richly visualize that data, and create notifications based on specific concerns. 8 | 9 | For installation instructions for both the central ELK server and client servers (that use log-courier to ship events to the central ELK server), please visit the following link and select the "Install" tab: https://www.itsecurity.ucla.edu/elk 10 | 11 | **Major Changes**: 12 | 13 | As of November 25th, 2015, this project has been updated to reflect the major changes reflected in Elasticsearch 2.1, Logstash 2.1, and Kibana 4.3. In addition, support for Filebeat, Packetbeat, and Topbeat was added and documentation is available at the link on the UCLA Information Security website listed above. 14 | 15 | As of January 14th, 2016, (and after a long period of stability testing), shipping logs from Windows Servers via nxlog was included, as was the ability to ship OSSEC (http://ossec.github.io/) security log data to the UCLA-ISO-ELK configuration. We're major fans of OSSEC and nxlog. 16 | -------------------------------------------------------------------------------- /topbeat.yml: -------------------------------------------------------------------------------- 1 | ################### Topbeat Configuration Example ######################### 2 | 3 | ############################# Input ############################################ 4 | input: 5 | # In seconds, defines how often to read server statistics 6 | period: 10 7 | 8 | # Regular expression to match the processes that are monitored 9 | # By default, all the processes are monitored 10 | procs: [".*"] 11 | 12 | 13 | ############################# Output ########################################## 14 | 15 | output: 16 | logstash: 17 | enabled: true 18 | 19 | # The list of downstream Logstash servers. 20 | hosts: 21 | - your_elk_host_ip:5045 22 | 23 | tls: 24 | # The path to your client ssl certificate 25 | certificate: /etc/filebeat/logstash-beats.crt 26 | # The path to your client ssl key 27 | certificate_key: /etc/filebeat/logstash-beats.key 28 | 29 | # The path to your trusted ssl CA file. This is used 30 | # to authenticate your downstream server. 31 | certificate_authorities: 32 | - /etc/filebeat/logstash-beats.crt 33 | 34 | # Network timeout in seconds. 35 | timeout: 15 36 | 37 | ############################# Shipper ######################################### 38 | 39 | shipper: 40 | # The name of the shipper that publishes the network data. It can be used to group 41 | # all the transactions sent by a single shipper in the web interface. 42 | # If this options is not defined, the hostname is used. 43 | #name: 44 | 45 | # The tags of the shipper are included in their own field with each 46 | # transaction published. Tags make it easy to group servers by different 47 | # logical properties. 48 | tags: ["topbeat_this_client_hostname"] 49 | 50 | # Uncomment the following if you want to ignore transactions created 51 | # by the server on which the shipper is installed. This option is useful 52 | # to remove duplicates if shippers are installed on multiple servers. 53 | #ignore_outgoing: true 54 | 55 | ############################# Shipper ######################################### 56 | 57 | logging: 58 | # enable file rotation with default configuration 59 | to_files: true 60 | 61 | # do not log to syslog 62 | to_syslog: false 63 | 64 | files: 65 | path: /var/log/topbeat/ 66 | name: topbeat.log 67 | keepfiles: 7 68 | -------------------------------------------------------------------------------- /kibana: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | PATH=/sbin:/usr/sbin:/bin:/usr/bin 3 | DESC="Kibana 4" 4 | NAME=kibana 5 | DAEMON=/opt/kibana/bin/kibana 6 | DAEMON_ARGS="" 7 | PIDFILE=/var/run/$NAME.pid 8 | SCRIPTNAME=/etc/init.d/$NAME 9 | LOG=/var/log/kibana.log 10 | 11 | pid_file_exists() { 12 | [ -f "$PIDFILE" ] 13 | } 14 | 15 | do_start() { 16 | 17 | if pid_file_exists 18 | then 19 | echo "Kibana is already running" 20 | else 21 | $DAEMON $DAEMON_ARGS 1>"$LOG" 2>&1 & 22 | echo $! > "$PIDFILE" 23 | PID=$! 24 | if [ "$PID" -ne "0" ] 25 | then 26 | echo "Kibana started with pid $!" 27 | else 28 | echo "Kibana could not be started" 29 | fi 30 | fi 31 | 32 | 33 | } 34 | 35 | 36 | do_status() { 37 | if pid_file_exists 38 | then 39 | PID=$(cat $PIDFILE) 40 | STATUS=$(ps ax | grep $PID | grep -v grep | awk '{print $1}') 41 | 42 | if [ "$STATUS" == "$PID" ] 43 | then 44 | echo "Kibana is running on proccess $PID" 45 | else 46 | echo "Kibana is NOT running" 47 | rm $PIDFILE 48 | fi 49 | else 50 | echo "Kibana is NOT running" 51 | fi 52 | } 53 | 54 | do_stop() { 55 | if pid_file_exists 56 | then 57 | PID=$(cat $PIDFILE) 58 | STATUS=$(ps ax | grep $PID | grep -v grep | awk '{print $1}') 59 | 60 | if [ "$STATUS" == "$PID" ] 61 | then 62 | echo "Killing Kibana...." 63 | KILL=$(kill -15 $PID) 64 | rm $PIDFILE 65 | sleep 1 66 | echo -e "\tKibana (PID:$PID) killed" 67 | 68 | else 69 | echo "Kibana is NOT running" 70 | rm $PIDFILE 71 | fi 72 | else 73 | echo "Kibana is NOT running" 74 | fi 75 | } 76 | 77 | 78 | case "$1" in 79 | start) 80 | do_start;; 81 | stop) 82 | do_stop 83 | ;; 84 | status) 85 | do_status 86 | ;; 87 | restart) 88 | do_stop 89 | do_start 90 | ;; 91 | *) 92 | echo "Usage: $SCRIPTNAME {start|stop|status|restart}" >&2 93 | exit 3 94 | ;; 95 | esac 96 | 97 | : 98 | -------------------------------------------------------------------------------- /packetbeat.yml: -------------------------------------------------------------------------------- 1 | ################### Packetbeat Configuration Example ########################## 2 | 3 | # This file contains an overview of various configuration settings. Please consult 4 | # the docs at https://www.elastic.co/guide/en/beats/packetbeat/current/configuration.html 5 | # for more details. 6 | 7 | # The Packetbeat shipper works by sniffing the network traffic between your 8 | # application components. It inserts meta-data about each transaction into 9 | # Elasticsearch. 10 | 11 | ############################# Sniffer ######################################### 12 | 13 | # Select the network interfaces to sniff the data. You can use the "any" 14 | # keyword to sniff on all connected interfaces. 15 | interfaces: 16 | device: any 17 | 18 | ############################# Protocols ####################################### 19 | protocols: 20 | dns: 21 | # Configure the ports where to listen for DNS traffic. You can disable 22 | # the DNS protocol by commenting out the list of ports. 23 | ports: [53] 24 | 25 | # include_authorities controls whether or not the dns.authorities field 26 | # (authority resource records) is added to messages. 27 | # Default: false 28 | include_authorities: true 29 | # include_additionals controls whether or not the dns.additionals field 30 | # (additional resource records) is added to messages. 31 | # Default: false 32 | include_additionals: true 33 | 34 | # send_request and send_response control whether or not the stringified DNS 35 | # request and response message are added to the result. 36 | # Nearly all data about the request/response is available in the dns.* 37 | # fields, but this can be useful if you need visibility specifically 38 | # into the request or the response. 39 | # Default: false 40 | # send_request: true 41 | # send_response: true 42 | 43 | http: 44 | # Configure the ports where to listen for HTTP traffic. You can disable 45 | # the HTTP protocol by commenting out the list of ports. 46 | ports: [80, 8080, 8000, 5000, 8002] 47 | 48 | # Uncomment the following to hide certain parameters in URL or forms attached 49 | # to HTTP requests. The names of the parameters are case insensitive. 50 | # The value of the parameters will be replaced with the 'xxxxx' string. 51 | # This is generally useful for avoiding storing user passwords or other 52 | # sensitive information. 53 | # Only query parameters and top level form parameters are replaced. 54 | # hide_keywords: ['pass', 'password', 'passwd'] 55 | 56 | memcache: 57 | # Configure the ports where to listen for memcache traffic. You can disable 58 | # the Memcache protocol by commenting out the list of ports. 59 | ports: [11211] 60 | 61 | # Uncomment the parseunknown option to force the memcache text protocol parser 62 | # to accept unknown commands. 63 | # Note: All unknown commands MUST not contain any data parts! 64 | # Default: false 65 | # parseunknown: true 66 | 67 | # Update the maxvalue option to store the values - base64 encoded - in the 68 | # json output. 69 | # possible values: 70 | # maxvalue: -1 # store all values (text based protocol multi-get) 71 | # maxvalue: 0 # store no values at all 72 | # maxvalue: N # store up to N values 73 | # Default: 0 74 | # maxvalues: -1 75 | 76 | # Use maxbytespervalue to limit the number of bytes to be copied per value element. 77 | # Note: Values will be base64 encoded, so actual size in json document 78 | # will be 4 times maxbytespervalue. 79 | # Default: unlimited 80 | # maxbytespervalue: 100 81 | 82 | # UDP transaction timeout in milliseconds. 83 | # Note: Quiet messages in UDP binary protocol will get response only in error case. 84 | # The memcached analyzer will wait for udptransactiontimeout milliseconds 85 | # before publishing quiet messages. Non quiet messages or quiet requests with 86 | # error response will not have to wait for the timeout. 87 | # Default: 200 88 | # udptransactiontimeout: 1000 89 | 90 | mysql: 91 | # Configure the ports where to listen for MySQL traffic. You can disable 92 | # the MySQL protocol by commenting out the list of ports. 93 | ports: [3306] 94 | 95 | pgsql: 96 | # Configure the ports where to listen for Pgsql traffic. You can disable 97 | # the Pgsql protocol by commenting out the list of ports. 98 | ports: [5432] 99 | 100 | redis: 101 | # Configure the ports where to listen for Redis traffic. You can disable 102 | # the Redis protocol by commenting out the list of ports. 103 | ports: [6379] 104 | 105 | thrift: 106 | # Configure the ports where to listen for Thrift-RPC traffic. You can disable 107 | # the Thrift-RPC protocol by commenting out the list of ports. 108 | ports: [9090] 109 | 110 | mongodb: 111 | # Configure the ports where to listen for MongoDB traffic. You can disable 112 | # the MongoDB protocol by commenting out the list of ports. 113 | ports: [27017] 114 | 115 | ############################# Processes ####################################### 116 | 117 | # Configure the processes to be monitored and how to find them. If a process is 118 | # monitored than Packetbeat attempts to use it's name to fill in the `proc` and 119 | # `client_proc` fields. 120 | # The processes can be found by searching their command line by a given string. 121 | # 122 | # Process matching is optional and can be enabled by uncommenting the following 123 | # lines. 124 | # 125 | #procs: 126 | # enabled: false 127 | # monitored: 128 | # - process: mysqld 129 | # cmdline_grep: mysqld 130 | # 131 | # - process: pgsql 132 | # cmdline_grep: postgres 133 | # 134 | # - process: nginx 135 | # cmdline_grep: nginx 136 | # 137 | # - process: app 138 | # cmdline_grep: gunicorn 139 | 140 | 141 | ############################# Output ########################################## 142 | 143 | output: 144 | logstash: 145 | enabled: true 146 | 147 | # The list of downstream Logstash servers. 148 | hosts: 149 | - your_elk_host_ip:5044 150 | 151 | tls: 152 | # The path to your client ssl certificate 153 | certificate: /etc/filebeat/logstash-beats.crt 154 | # The path to your client ssl key 155 | certificate_key: /etc/filebeat/logstash-beats.key 156 | 157 | # The path to your trusted ssl CA file. This is used 158 | # to authenticate your downstream server. 159 | certificate_authorities: 160 | - /etc/filebeat/logstash-beats.crt 161 | 162 | # Network timeout in seconds. 163 | timeout: 15 164 | 165 | 166 | ############################# Shipper ######################################### 167 | 168 | shipper: 169 | # The name of the shipper that publishes the network data. It can be used to group 170 | # all the transactions sent by a single shipper in the web interface. 171 | # If this options is not defined, the hostname is used. 172 | #name: 173 | 174 | # The tags of the shipper are included in their own field with each 175 | # transaction published. Tags make it easy to group servers by different 176 | # logical properties. 177 | tags: ["packetbeat_this_client_hostname"] 178 | 179 | # Uncomment the following if you want to ignore transactions created 180 | # by the server on which the shipper is installed. This option is useful 181 | # to remove duplicates if shippers are installed on multiple servers. 182 | #ignore_outgoing: true 183 | 184 | # How often (in seconds) shippers are publishing their IPs to the topology map. 185 | # The default is 10 seconds. 186 | #refresh_topology_freq: 10 187 | 188 | # Expiration time (in seconds) of the IPs published by a shipper to the topology map. 189 | # All the IPs will be deleted afterwards. Note, that the value must be higher than 190 | # refresh_topology_freq. The default is 15 seconds. 191 | #topology_expire: 15 192 | 193 | # Configure local GeoIP database support. If no paths are configured 194 | # the locations /usr/share/GeoIP/GeoLiteCity.dat and 195 | # /usr/local/var/GeoIP/GeoLiteCity.dat are searched for a GeoIP database. 196 | #geoip: 197 | # If paths is empty, GeoIP support will be disabled. 198 | #paths: ["/path/to/geoip/data/GeoLiteCity.dat"] 199 | 200 | 201 | ############################# Logging ######################################### 202 | 203 | logging: 204 | # enable file rotation with default configuration 205 | to_files: true 206 | 207 | # do not log to syslog 208 | to_syslog: false 209 | 210 | files: 211 | path: /var/log/packetbeat/ 212 | name: packetbeat.log 213 | keepfiles: 7 214 | -------------------------------------------------------------------------------- /kibana-dashboards.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "_id": "HTTP", 4 | "_type": "dashboard", 5 | "_source": { 6 | "hits": 0, 7 | "timeRestore": false, 8 | "description": "", 9 | "title": "HTTP", 10 | "panelsJSON": "[{\"col\":4,\"id\":\"Web-transactions\",\"row\":1,\"size_x\":9,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"HTTP-error-codes\",\"row\":8,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"HTTP-error-codes-evolution\",\"row\":8,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Navigation\",\"row\":1,\"size_x\":3,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Total-number-of-HTTP-transactions\",\"row\":5,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":4,\"id\":\"HTTP-codes-for-the-top-queries\",\"row\":5,\"size_x\":9,\"size_y\":3,\"type\":\"visualization\"},{\"id\":\"Top-10-HTTP-requests\",\"type\":\"visualization\",\"size_x\":12,\"size_y\":5,\"col\":1,\"row\":11}]", 11 | "version": 1, 12 | "kibanaSavedObjectMeta": { 13 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 14 | } 15 | } 16 | }, 17 | { 18 | "_id": "MongoDB-performance", 19 | "_type": "dashboard", 20 | "_source": { 21 | "hits": 0, 22 | "timeRestore": false, 23 | "description": "", 24 | "title": "MongoDB performance", 25 | "panelsJSON": "[{\"col\":1,\"id\":\"Navigation\",\"row\":1,\"size_x\":3,\"size_y\":4,\"type\":\"visualization\"},{\"col\":4,\"id\":\"MongoDB-errors\",\"row\":1,\"size_x\":5,\"size_y\":4,\"type\":\"visualization\"},{\"col\":9,\"id\":\"MongoDB-commands\",\"row\":1,\"size_x\":4,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"MongoDB-errors-per-collection\",\"row\":5,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":5,\"id\":\"MongoDB-in-slash-out-throughput\",\"row\":5,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"MongoDB-response-times-by-collection\",\"row\":8,\"size_x\":8,\"size_y\":5,\"type\":\"visualization\"},{\"col\":9,\"id\":\"Top-slowest-MongoDB-queries\",\"row\":8,\"size_x\":4,\"size_y\":5,\"type\":\"visualization\"},{\"id\":\"Number-of-MongoDB-transactions-with-writeConcern-w-equal-0\",\"type\":\"visualization\",\"size_x\":4,\"size_y\":3,\"col\":9,\"row\":5}]", 26 | "version": 1, 27 | "kibanaSavedObjectMeta": { 28 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 29 | } 30 | } 31 | }, 32 | { 33 | "_id": "MySQL-performance", 34 | "_type": "dashboard", 35 | "_source": { 36 | "hits": 0, 37 | "timeRestore": false, 38 | "description": "", 39 | "title": "MySQL performance", 40 | "panelsJSON": "[{\"col\":4,\"id\":\"MySQL-Errors\",\"row\":1,\"size_x\":5,\"size_y\":4,\"type\":\"visualization\"},{\"col\":9,\"id\":\"MySQL-Methods\",\"row\":1,\"size_x\":4,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Navigation\",\"row\":1,\"size_x\":3,\"size_y\":4,\"type\":\"visualization\"},{\"col\":7,\"id\":\"MySQL-throughput\",\"row\":8,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Most-frequent-MySQL-queries\",\"row\":11,\"size_x\":6,\"size_y\":6,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Slowest-MySQL-queries\",\"row\":11,\"size_x\":6,\"size_y\":6,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Mysql-response-times-percentiles\",\"row\":5,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"id\":\"MySQL-Reads-vs-Writes\",\"type\":\"visualization\",\"size_x\":6,\"size_y\":3,\"col\":1,\"row\":8}]", 41 | "version": 1, 42 | "kibanaSavedObjectMeta": { 43 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 44 | } 45 | } 46 | }, 47 | { 48 | "_id": "Packetbeat-Dashboard", 49 | "_type": "dashboard", 50 | "_source": { 51 | "hits": 0, 52 | "timeRestore": false, 53 | "description": "", 54 | "title": "Packetbeat Dashboard", 55 | "panelsJSON": "[{\"col\":1,\"id\":\"Web-transactions\",\"row\":5,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":4,\"id\":\"DB-transactions\",\"row\":5,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Cache-transactions\",\"row\":5,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":10,\"id\":\"RPC-transactions\",\"row\":5,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Response-times-percentiles\",\"row\":10,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Errors-count-over-time\",\"row\":13,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Errors-vs-successful-transactions\",\"row\":10,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Latency-histogram\",\"row\":13,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":4,\"id\":\"Client-locations\",\"row\":1,\"size_x\":9,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Response-times-repartition\",\"row\":7,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"id\":\"Navigation\",\"type\":\"visualization\",\"size_x\":3,\"size_y\":4,\"col\":1,\"row\":1}]", 56 | "version": 1, 57 | "kibanaSavedObjectMeta": { 58 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 59 | } 60 | } 61 | }, 62 | { 63 | "_id": "PgSQL-performance", 64 | "_type": "dashboard", 65 | "_source": { 66 | "hits": 0, 67 | "timeRestore": false, 68 | "description": "", 69 | "title": "PgSQL performance", 70 | "panelsJSON": "[{\"col\":1,\"id\":\"Navigation\",\"row\":1,\"size_x\":3,\"size_y\":4,\"type\":\"visualization\"},{\"col\":4,\"id\":\"PgSQL-Errors\",\"row\":1,\"size_x\":5,\"size_y\":4,\"type\":\"visualization\"},{\"col\":9,\"id\":\"PgSQL-Methods\",\"row\":1,\"size_x\":4,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"PgSQL-response-times-percentiles\",\"row\":5,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"PgSQL-throughput\",\"row\":8,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"PgSQL-Reads-vs-Writes\",\"row\":8,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"id\":\"Most-frequent-PgSQL-queries\",\"type\":\"visualization\",\"size_x\":6,\"size_y\":6,\"col\":1,\"row\":11},{\"id\":\"Slowest-PgSQL-queries\",\"type\":\"visualization\",\"size_x\":6,\"size_y\":6,\"col\":7,\"row\":11}]", 71 | "version": 1, 72 | "kibanaSavedObjectMeta": { 73 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 74 | } 75 | } 76 | }, 77 | { 78 | "_id": "Thrift-performance", 79 | "_type": "dashboard", 80 | "_source": { 81 | "hits": 0, 82 | "timeRestore": false, 83 | "description": "", 84 | "title": "Thrift performance", 85 | "panelsJSON": "[{\"col\":1,\"id\":\"Navigation\",\"row\":1,\"size_x\":3,\"size_y\":4,\"type\":\"visualization\"},{\"col\":4,\"id\":\"Thrift-requests-per-minute\",\"row\":1,\"size_x\":5,\"size_y\":4,\"type\":\"visualization\"},{\"col\":9,\"id\":\"Thrift-RPC-Errors\",\"row\":1,\"size_x\":4,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Slowest-Thrift-RPC-methods\",\"row\":5,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Thrift-response-times-percentiles\",\"row\":5,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Top-Thrift-RPC-methods\",\"row\":8,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Top-Thrift-RPC-calls-with-errors\",\"row\":8,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"id\":\"Thrift-transactions\",\"type\":\"search\",\"size_x\":12,\"size_y\":8,\"col\":1,\"row\":12,\"columns\":[\"method\",\"type\",\"path\",\"responsetime\",\"status\"],\"sort\":[\"@timestamp\",\"desc\"]}]", 86 | "version": 1, 87 | "kibanaSavedObjectMeta": { 88 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 89 | } 90 | } 91 | }, 92 | { 93 | "_id": "Topbeat-Dashboard", 94 | "_type": "dashboard", 95 | "_source": { 96 | "hits": 0, 97 | "timeFrom": "now-15m", 98 | "timeRestore": true, 99 | "description": "", 100 | "title": "Topbeat-Dashboard", 101 | "panelsJSON": "[{\"col\":1,\"id\":\"Navigation\",\"row\":1,\"size_x\":3,\"size_y\":4,\"type\":\"visualization\"},{\"col\":4,\"id\":\"System-load\",\"row\":1,\"size_x\":5,\"size_y\":4,\"type\":\"visualization\"},{\"col\":9,\"id\":\"Disk-usage-overview\",\"row\":1,\"size_x\":4,\"size_y\":4,\"type\":\"visualization\"},{\"col\":8,\"id\":\"Process-status\",\"row\":5,\"size_x\":5,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Memory-usage\",\"row\":9,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Disk-usage\",\"row\":13,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":7,\"id\":\"CPU-usage\",\"row\":9,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":7,\"id\":\"CPU-usage-per-process\",\"row\":17,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Memory-usage-per-process\",\"row\":13,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Top-processes\",\"row\":17,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Servers\",\"row\":5,\"size_x\":7,\"size_y\":4,\"type\":\"visualization\"}]", 102 | "timeTo": "now", 103 | "version": 1, 104 | "kibanaSavedObjectMeta": { 105 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 106 | } 107 | } 108 | }, 109 | { 110 | "_id": "Dashboard:-Linux-User-and-Group-Events", 111 | "_type": "dashboard", 112 | "_source": { 113 | "title": "Dashboard: Linux User and Group Events", 114 | "hits": 0, 115 | "description": "", 116 | "panelsJSON": "[{\"col\":1,\"id\":\"Visualization:-Linux-(New-User)\",\"panelIndex\":1,\"row\":1,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":4,\"id\":\"Visualization:-Linux-(New-Group)\",\"panelIndex\":2,\"row\":1,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Visualization:-Linux-(Password-Change)\",\"panelIndex\":3,\"row\":1,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":10,\"id\":\"Visualization:-Linux-(User-Deleted)\",\"panelIndex\":4,\"row\":1,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Linux-(Group-Deleted)\",\"panelIndex\":5,\"row\":3,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"pam_username\",\"tags\",\"pam_message\",\"message\"],\"id\":\"Linux:-User-and-Group-Events\",\"panelIndex\":6,\"row\":5,\"size_x\":12,\"size_y\":4,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"},{\"id\":\"Visualization:-Bar-Chart-(Linux:-User-and-Group-Events)\",\"type\":\"visualization\",\"panelIndex\":7,\"size_x\":12,\"size_y\":5,\"col\":1,\"row\":9}]", 117 | "optionsJSON": "{\"darkTheme\":true}", 118 | "uiStateJSON": "{}", 119 | "version": 1, 120 | "timeRestore": true, 121 | "timeTo": "now", 122 | "timeFrom": "now-15m", 123 | "kibanaSavedObjectMeta": { 124 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 125 | } 126 | } 127 | } 128 | ] -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | 203 | -------------------------------------------------------------------------------- /Visualizations - All.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "_id": "Basic-Auth:-Failures-[Data-Table]", 4 | "_type": "visualization", 5 | "_source": { 6 | "title": "Basic Auth: Failures - [Data Table]", 7 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"basic_auth_user.raw\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 8 | "description": "", 9 | "savedSearchId": "Basic-Auth:-Failures", 10 | "version": 1, 11 | "kibanaSavedObjectMeta": { 12 | "searchSourceJSON": "{\"filter\":[]}" 13 | } 14 | } 15 | }, 16 | { 17 | "_id": "Basic-Auth:-Success-[Data-Table]", 18 | "_type": "visualization", 19 | "_source": { 20 | "title": "Basic Auth: Success - [Data Table]", 21 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"basic_auth_user.raw\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 22 | "description": "", 23 | "savedSearchId": "Basic-Auth:-Success", 24 | "version": 1, 25 | "kibanaSavedObjectMeta": { 26 | "searchSourceJSON": "{\"filter\":[]}" 27 | } 28 | } 29 | }, 30 | { 31 | "_id": "Shibboleth:-Successful-Logins-[Data-Table:-Country-Name-and-Shib-Username]", 32 | "_type": "visualization", 33 | "_source": { 34 | "title": "Shibboleth: Successful Logins - [Data Table: Country Name and Shib Username]", 35 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.country_name.raw\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"logshipper_shib_username.raw\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 36 | "description": "", 37 | "savedSearchId": "Shibboleth:-Successful-Logins", 38 | "version": 1, 39 | "kibanaSavedObjectMeta": { 40 | "searchSourceJSON": "{\"filter\":[]}" 41 | } 42 | } 43 | }, 44 | { 45 | "_id": "Shibboleth:-Failed-Logins-[Data-Table:-Country-Name-and-Shib-Username]", 46 | "_type": "visualization", 47 | "_source": { 48 | "title": "Shibboleth: Failed Logins - [Data Table: Country Name and Shib Username]", 49 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.country_name.raw\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"logshipper_shib_username.raw\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 50 | "description": "", 51 | "savedSearchId": "Shibboleth:-Failed-Logins", 52 | "version": 1, 53 | "kibanaSavedObjectMeta": { 54 | "searchSourceJSON": "{\"filter\":[]}" 55 | } 56 | } 57 | }, 58 | { 59 | "_id": "Shibboleth:-Successful-Logins-[Data-Table:-Shib-Username-and-Source-IP]", 60 | "_type": "visualization", 61 | "_source": { 62 | "title": "Shibboleth: Successful Logins - [Data Table: Shib Username and Source IP]", 63 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"logshipper_shib_username.raw\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.ip.raw\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 64 | "description": "", 65 | "savedSearchId": "Shibboleth:-Successful-Logins", 66 | "version": 1, 67 | "kibanaSavedObjectMeta": { 68 | "searchSourceJSON": "{\"filter\":[]}" 69 | } 70 | } 71 | }, 72 | { 73 | "_id": "Shibboleth:-Successful-Logins-[Tile-Map]", 74 | "_type": "visualization", 75 | "_source": { 76 | "title": "Shibboleth: Successful Logins - [Tile Map]", 77 | "visState": "{\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"addTooltip\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":false,\"precision\":7}}],\"listeners\":{}}", 78 | "description": "", 79 | "savedSearchId": "Shibboleth:-Successful-Logins", 80 | "version": 1, 81 | "kibanaSavedObjectMeta": { 82 | "searchSourceJSON": "{\"filter\":[]}" 83 | } 84 | } 85 | }, 86 | { 87 | "_id": "\"Shibboleth:-Failed-Logins-[Data-Table:-Shib-Username-and-Source-IP]\"", 88 | "_type": "visualization", 89 | "_source": { 90 | "title": "\"Shibboleth: Failed Logins - [Data Table: Shib Username and Source IP]\"", 91 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"logshipper_shib_username.raw\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.ip.raw\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 92 | "description": "", 93 | "savedSearchId": "Shibboleth:-Failed-Logins", 94 | "version": 1, 95 | "kibanaSavedObjectMeta": { 96 | "searchSourceJSON": "{\"filter\":[]}" 97 | } 98 | } 99 | }, 100 | { 101 | "_id": "Shibboleth:-Failed-Logins-[Tile-Map]", 102 | "_type": "visualization", 103 | "_source": { 104 | "title": "Shibboleth: Failed Logins - [Tile Map]", 105 | "visState": "{\"type\":\"tile_map\",\"params\":{\"mapType\":\"Shaded Circle Markers\",\"isDesaturated\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"addTooltip\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":false,\"precision\":7}}],\"listeners\":{}}", 106 | "description": "", 107 | "savedSearchId": "Shibboleth:-Failed-Logins", 108 | "version": 1, 109 | "kibanaSavedObjectMeta": { 110 | "searchSourceJSON": "{\"filter\":[]}" 111 | } 112 | } 113 | }, 114 | { 115 | "_id": "Shibboleth:-Successful-Logins-[Pie-Chart]", 116 | "_type": "visualization", 117 | "_source": { 118 | "title": "Shibboleth: Successful Logins - [Pie Chart]", 119 | "visState": "{\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.raw\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"logshipper_shib_username.raw\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.ip.raw\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 120 | "description": "", 121 | "savedSearchId": "Shibboleth:-Successful-Logins", 122 | "version": 1, 123 | "kibanaSavedObjectMeta": { 124 | "searchSourceJSON": "{\"filter\":[]}" 125 | } 126 | } 127 | }, 128 | { 129 | "_id": "Shibboleth:-Failed-Logins-[Pie-Chart]", 130 | "_type": "visualization", 131 | "_source": { 132 | "title": "Shibboleth: Failed Logins - [Pie Chart]", 133 | "visState": "{\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.raw\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"logshipper_shib_username.raw\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.ip.raw\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 134 | "description": "", 135 | "savedSearchId": "Shibboleth:-Failed-Logins", 136 | "version": 1, 137 | "kibanaSavedObjectMeta": { 138 | "searchSourceJSON": "{\"filter\":[]}" 139 | } 140 | } 141 | }, 142 | { 143 | "_id": "System:-(1)-Created-and-Removed-Users-and-Groups;-(2)-Password-Change-[Visualization:-Data-Table]", 144 | "_type": "visualization", 145 | "_source": { 146 | "title": "System: (1) Created and Removed Users and Groups; (2) Password Change - [Visualization: Data Table]", 147 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"pam_username.raw\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"pam_message.raw\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 148 | "description": "", 149 | "savedSearchId": "System:-(1)-Created-and-Removed-Users-and-Groups;-(2)-Password-Change", 150 | "version": 1, 151 | "kibanaSavedObjectMeta": { 152 | "searchSourceJSON": "{\"filter\":[]}" 153 | } 154 | } 155 | }, 156 | { 157 | "_id": "System:-(1)-Created-and-Removed-Users-and-Groups;-(2)-Password-Change-[Visualization:-Pie-Chart]", 158 | "_type": "visualization", 159 | "_source": { 160 | "title": "System: (1) Created and Removed Users and Groups; (2) Password Change - [Visualization: Pie Chart]", 161 | "visState": "{\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"pam_message.raw\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 162 | "description": "", 163 | "savedSearchId": "System:-(1)-Created-and-Removed-Users-and-Groups;-(2)-Password-Change", 164 | "version": 1, 165 | "kibanaSavedObjectMeta": { 166 | "searchSourceJSON": "{\"filter\":[]}" 167 | } 168 | } 169 | }, 170 | { 171 | "_id": "SSH:-Failed-[Data-Table]", 172 | "_type": "visualization", 173 | "_source": { 174 | "title": "SSH: Failed - [Data Table]", 175 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.raw\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"host.raw\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.country_name.raw\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"5\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.raw\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 176 | "description": "", 177 | "savedSearchId": "SSH:-Failed-Authentications", 178 | "version": 1, 179 | "kibanaSavedObjectMeta": { 180 | "searchSourceJSON": "{\"filter\":[]}" 181 | } 182 | } 183 | }, 184 | { 185 | "_id": "SSH:-Failed-[Tile-Map]", 186 | "_type": "visualization", 187 | "_source": { 188 | "title": "SSH: Failed - [Tile Map]", 189 | "visState": "{\"type\":\"tile_map\",\"params\":{\"mapType\":\"Heatmap\",\"isDesaturated\":true,\"heatMaxZoom\":\"18\",\"heatMinOpacity\":\"0.55\",\"heatRadius\":\"32\",\"heatBlur\":\"18\",\"heatNormalizeData\":true,\"addTooltip\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":false,\"mapZoom\":3,\"mapCenter\":[21.69826549685252,61.34765625],\"precision\":7}}],\"listeners\":{}}", 190 | "description": "", 191 | "savedSearchId": "SSH:-Failed-Authentications", 192 | "version": 1, 193 | "kibanaSavedObjectMeta": { 194 | "searchSourceJSON": "{\"filter\":[]}" 195 | } 196 | } 197 | } 198 | ] -------------------------------------------------------------------------------- /filebeat.yml: -------------------------------------------------------------------------------- 1 | 2 | ################### Filebeat Configuration Example ######################### 3 | 4 | ############################# Filebeat ###################################### 5 | filebeat: 6 | # List of prospectors to fetch data. 7 | prospectors: 8 | # Each - is a prospector. Below are the prospector specific configurations 9 | - 10 | # Paths that should be crawled and fetched. Glob based paths. 11 | # To fetch all ".log" files from a specific level of subdirectories 12 | # /var/log/*/*.log can be used. 13 | # For each file found under this path, a harvester is started. 14 | # Make sure not file is defined twice as this can lead to unexpected behaviour. 15 | paths: 16 | - /var/log/secure 17 | fields: 18 | log_type: syslog 19 | - 20 | paths: 21 | - /etc/hosts.deny 22 | - /var/log/denyhosts 23 | fields: 24 | log_type: deny-hosts 25 | - 26 | paths: 27 | - /var/log/httpd/ssl_access_log 28 | - /var/log/httpd/apache-access 29 | fields: 30 | log_type: apache-access 31 | - 32 | paths: 33 | - /var/log/httpd/error_log 34 | fields: 35 | log_type: apache-error 36 | - 37 | paths: 38 | - /var/log/mysql/mysql-error.log 39 | fields: 40 | log_type: mysql-error 41 | - 42 | paths: 43 | - /var/log/mysql/mysql-slow.log 44 | fields: 45 | log_type: mysql-slow 46 | - 47 | paths: 48 | - /var/log/*shipper.log 49 | fields: 50 | log_type: shib_logshipper 51 | - 52 | paths: 53 | - /var/log/yum.log 54 | fields: 55 | log_type: yum 56 | 57 | # Configure the file encoding for reading files with international characters 58 | # following the W3C recommendation for HTML5 (http://www.w3.org/TR/encoding). 59 | # Some sample encodings: 60 | # plain, utf-8, utf-16be-bom, utf-16be, utf-16le, big5, gb18030, gbk, 61 | # hz-gb-2312, euc-kr, euc-jp, iso-2022-jp, shift-jis, ... 62 | #encoding: plain 63 | 64 | # Type of the files. Based on this the way the file is read is decided. 65 | # The different types cannot be mixed in one prospector 66 | # 67 | # Possible options are: 68 | # * log: Reads every line of the log file (default) 69 | # * stdin: Reads the standard in 70 | input_type: log 71 | 72 | # Optional additional fields. These field can be freely picked 73 | # to add additional information to the crawled log files for filtering 74 | #fields: 75 | # level: debug 76 | # review: 1 77 | 78 | # Set to true to store the additional fields as top level fields instead 79 | # of under the "fields" sub-dictionary. In case of name conflicts with the 80 | # fields added by Filebeat itself, the custom fields overwrite the default 81 | # fields. 82 | #fields_under_root: false 83 | 84 | # Ignore files which were modified more then the defined timespan in the past 85 | # Time strings like 2h (2 hours), 5m (5 minutes) can be used. 86 | #ignore_older: 24h 87 | 88 | # Type to be published in the 'type' field. For Elasticsearch output, 89 | # the type defines the document type these entries should be stored 90 | # in. Default: log 91 | #document_type: log 92 | 93 | # Scan frequency in seconds. 94 | # How often these files should be checked for changes. In case it is set 95 | # to 0s, it is done as often as possible. Default: 10s 96 | scan_frequency: 10s 97 | 98 | # Defines the buffer size every harvester uses when fetching the file 99 | #harvester_buffer_size: 16384 100 | 101 | # Setting tail_files to true means filebeat starts readding new files at the end 102 | # instead of the beginning. If this is used in combination with log rotation 103 | # this can mean that the first entries of a new file are skipped. 104 | #tail_files: false 105 | 106 | # Backoff values define how agressively filebeat crawls new files for updates 107 | # The default values can be used in most cases. Backoff defines how long it is waited 108 | # to check a file again after EOF is reached. Default is 1s which means the file 109 | # is checked every second if new lines were added. This leads to a near real time crawling. 110 | # Every time a new line appears, backoff is reset to the initial value. 111 | #backoff: 1s 112 | 113 | # Max backoff defines what the maximum backoff time is. After having backed off multiple times 114 | # from checking the files, the waiting time will never exceed max_backoff idenependent of the 115 | # backoff factor. Having it set to 10s means in the worst case a new line can be added to a log 116 | # file after having backed off multiple times, it takes a maximum of 10s to read the new line 117 | #max_backoff: 10s 118 | 119 | # The backoff factor defines how fast the algorithm backs off. The bigger the backoff factor, 120 | # the faster the max_backoff value is reached. If this value is set to 1, no backoff will happen. 121 | # The backoff value will be multiplied each time with the backoff_factor until max_backoff is reached 122 | #backoff_factor: 2 123 | 124 | # Defines the time on how long the harvester will wait for a line to be completed. 125 | # Sometimes a lines it not completely written when checked by filebeat. Filebeat 126 | # will wait for the time defined below so the system can complete the line. 127 | # In case the line is not completed in this time, the line will be skipped. 128 | #partial_line_waiting: 5s 129 | 130 | # This option closes a file, as soon as the file name changes. 131 | # This config option is recommended on windows only. Filebeat keeps the files it's reading open. This can cause 132 | # issues when the file is removed, as the file will not be fully removed until also Filebeat closes 133 | # the reading. Filebeat closes the file handler after ignore_older. During this time no new file with the 134 | # same name can be created. Turning this feature on the other hand can lead to loss of data 135 | # on rotate files. It can happen that after file rotation the beginning of the new 136 | # file is skipped, as the reading starts at the end. We recommend to leave this option on false 137 | # but lower the ignore_older value to release files faster. 138 | #force_close_files: false 139 | 140 | #- 141 | # paths: 142 | # - /var/log/apache/*.log 143 | # type: log 144 | # 145 | # # Ignore files which are older then 24 hours 146 | # ignore_older: 24h 147 | # 148 | # # Additional fields which can be freely defined 149 | # fields: 150 | # type: apache 151 | # server: localhost 152 | #- 153 | # type: stdin 154 | # paths: 155 | # - "-" 156 | 157 | # General filebeat configuration options 158 | # 159 | # Event count spool threshold - forces network flush if exceeded 160 | #spool_size: 1024 161 | 162 | # Defines how often the spooler is flushed. After idle_timeout the spooler is 163 | # Flush even though spool_size is not reached. 164 | #idle_timeout: 5s 165 | 166 | # Name of the registry file. Per default it is put in the current working 167 | # directory. In case the working directory is changed after when running 168 | # filebeat again, indexing starts from the beginning again. 169 | #registry_file: .filebeat 170 | 171 | # Full Path to directory with additional prospector configuration files. Each file must end with .yml 172 | # These config files must have the full filebeat config part inside, but only 173 | # the prospector part is processed. All global options like spool_size are ignored. 174 | # The config_dir MUST point to a different directory then where the main filebeat config file is in. 175 | #config_dir: 176 | 177 | 178 | ############################################################################### 179 | ############################# Libbeat Config ################################## 180 | # Base config file used by all other beats for using libbeat features 181 | 182 | ############################# Output ########################################## 183 | 184 | # Configure what outputs to use when sending the data collected by the beat. 185 | # Multiple outputs may be used. 186 | output: 187 | 188 | ### Elasticsearch as output 189 | #elasticsearch: 190 | # Array of hosts to connect to. 191 | # Scheme and port can be left out and will be set to the default (http and 9200) 192 | # In case you specify and additional path, the scheme is required: http://localhost:9200/path 193 | # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200 194 | #hosts: ["localhost:9200"] 195 | 196 | # Optional protocol and basic auth credentials. These are deprecated. 197 | #protocol: "https" 198 | #username: "admin" 199 | #password: "s3cr3t" 200 | 201 | # Number of workers per Elasticsearch host. 202 | #worker: 1 203 | 204 | # Optional index name. The default is "filebeat" and generates 205 | # [filebeat-]YYYY.MM.DD keys. 206 | #index: "filebeat" 207 | 208 | # Optional HTTP Path 209 | #path: "/elasticsearch" 210 | 211 | # The number of times a particular Elasticsearch index operation is attempted. If 212 | # the indexing operation doesn't succeed after this many retries, the events are 213 | # dropped. The default is 3. 214 | #max_retries: 3 215 | 216 | # The maximum number of events to bulk in a single Elasticsearch bulk API index request. 217 | # The default is 50. 218 | #bulk_max_size: 50 219 | 220 | # Configure http request timeout before failing an request to Elasticsearch. 221 | #timeout: 90 222 | 223 | # The number of seconds to wait for new events between two bulk API index requests. 224 | # If `bulk_max_size` is reached before this interval expires, addition bulk index 225 | # requests are made. 226 | #flush_interval: 1 227 | 228 | # Boolean that sets if the topology is kept in Elasticsearch. The default is 229 | # false. This option makes sense only for Packetbeat. 230 | #save_topology: false 231 | 232 | # The time to live in seconds for the topology information that is stored in 233 | # Elasticsearch. The default is 15 seconds. 234 | #topology_expire: 15 235 | 236 | # tls configuration. By default is off. 237 | #tls: 238 | # List of root certificates for HTTPS server verifications 239 | #certificate_authorities: ["/etc/pki/root/ca.pem"] 240 | 241 | # Certificate for TLS client authentication 242 | #certificate: "/etc/pki/client/cert.pem" 243 | 244 | # Client Certificate Key 245 | #certificate_key: "/etc/pki/client/cert.key" 246 | 247 | # Controls whether the client verifies server certificates and host name. 248 | # If insecure is set to true, all server host names and certificates will be 249 | # accepted. In this mode TLS based connections are susceptible to 250 | # man-in-the-middle attacks. Use only for testing. 251 | #insecure: true 252 | 253 | # Configure cipher suites to be used for TLS connections 254 | #cipher_suites: [] 255 | 256 | # Configure curve types for ECDHE based cipher suites 257 | #curve_types: [] 258 | 259 | # Configure minimum TLS version allowed for connection to logstash 260 | #min_version: 1.0 261 | 262 | # Configure maximum TLS version allowed for connection to logstash 263 | #max_version: 1.2 264 | 265 | 266 | ### Logstash as output 267 | logstash: 268 | # The Logstash hosts 269 | hosts: ["your_elk_host_ip:5043"] 270 | 271 | # Number of workers per Logstash host. 272 | #worker: 1 273 | 274 | # Optional load balance the events between the Logstash hosts 275 | #loadbalance: true 276 | 277 | # Optional index name. The default index name depends on the each beat. 278 | # For Packetbeat, the default is set to packetbeat, for Topbeat 279 | # top topbeat and for Filebeat to filebeat. 280 | #index: filebeat 281 | 282 | # Optional TLS. By default is off. 283 | tls: 284 | # List of root certificates for HTTPS server verifications 285 | certificate_authorities: ["/etc/filebeat/logstash-beats.crt"] 286 | 287 | # Certificate for TLS client authentication 288 | certificate: "/etc/filebeat/logstash-beats.crt" 289 | 290 | # Client Certificate Key 291 | certificate_key: "/etc/filebeat/logstash-beats.key" 292 | 293 | # Controls whether the client verifies server certificates and host name. 294 | # If insecure is set to true, all server host names and certificates will be 295 | # accepted. In this mode TLS based connections are susceptible to 296 | # man-in-the-middle attacks. Use only for testing. 297 | #insecure: true 298 | 299 | # Configure cipher suites to be used for TLS connections 300 | #cipher_suites: [] 301 | 302 | # Configure curve types for ECDHE based cipher suites 303 | #curve_types: [] 304 | 305 | 306 | ### File as output 307 | #file: 308 | # Path to the directory where to save the generated files. The option is mandatory. 309 | #path: "/tmp/filebeat" 310 | 311 | # Name of the generated files. The default is `filebeat` and it generates files: `filebeat`, `filebeat.1`, `filebeat.2`, etc. 312 | #filename: filebeat 313 | 314 | # Maximum size in kilobytes of each file. When this size is reached, the files are 315 | # rotated. The default value is 10 MB. 316 | #rotate_every_kb: 10000 317 | 318 | # Maximum number of files under path. When this number of files is reached, the 319 | # oldest file is deleted and the rest are shifted from last to first. The default 320 | # is 7 files. 321 | #number_of_files: 7 322 | 323 | 324 | ### Console output 325 | # console: 326 | # Pretty print json event 327 | #pretty: false 328 | 329 | 330 | ############################# Shipper ######################################### 331 | 332 | shipper: 333 | # The name of the shipper that publishes the network data. It can be used to group 334 | # all the transactions sent by a single shipper in the web interface. 335 | # If this options is not defined, the hostname is used. 336 | #name: 337 | 338 | # The tags of the shipper are included in their own field with each 339 | # transaction published. Tags make it easy to group servers by different 340 | # logical properties. 341 | #tags: ["filebeat_this_client_hostname"] 342 | 343 | # Uncomment the following if you want to ignore transactions created 344 | # by the server on which the shipper is installed. This option is useful 345 | # to remove duplicates if shippers are installed on multiple servers. 346 | #ignore_outgoing: true 347 | 348 | # How often (in seconds) shippers are publishing their IPs to the topology map. 349 | # The default is 10 seconds. 350 | #refresh_topology_freq: 10 351 | 352 | # Expiration time (in seconds) of the IPs published by a shipper to the topology map. 353 | # All the IPs will be deleted afterwards. Note, that the value must be higher than 354 | # refresh_topology_freq. The default is 15 seconds. 355 | #topology_expire: 15 356 | 357 | # Configure local GeoIP database support. 358 | # If no paths are not configured geoip is disabled. 359 | #geoip: 360 | #paths: 361 | # - "/usr/share/GeoIP/GeoLiteCity.dat" 362 | # - "/usr/local/var/GeoIP/GeoLiteCity.dat" 363 | 364 | 365 | ############################# Logging ######################################### 366 | 367 | # There are three options for the log ouput: syslog, file, stderr. 368 | # Under Windos systems, the log files are per default sent to the file output, 369 | # under all other system per default to syslog. 370 | logging: 371 | 372 | # Send all logging output to syslog. On Windows default is false, otherwise 373 | # default is true. 374 | to_syslog: false 375 | 376 | # Write all logging output to files. Beats automatically rotate files if rotateeverybytes 377 | # limit is reached. 378 | to_files: true 379 | 380 | # To enable logging to files, to_files option has to be set to true 381 | files: 382 | # The directory where the log files will written to. 383 | path: /var/log/filebeat 384 | 385 | # The name of the files where the logs are written to. 386 | name: filebeat 387 | 388 | # Configure log file size limit. If limit is reached, log file will be 389 | # automatically rotated 390 | rotateeverybytes: 10485760 # = 10MB 391 | 392 | # Number of rotated log files to keep. Oldest files will be deleted first. 393 | #keepfiles: 7 394 | 395 | # Enable debug output for selected components. To enable all selectors use ["*"] 396 | # Other available selectors are beat, publish, service 397 | # Multiple selectors can be chained. 398 | #selectors: [ ] 399 | 400 | # Sets log level. The default log level is error. 401 | # Available log levels are: critical, error, warning, info, debug 402 | #level: error 403 | 404 | 405 | -------------------------------------------------------------------------------- /logstash.conf: -------------------------------------------------------------------------------- 1 | input { 2 | ################################################################## 3 | #Port 5043: Filebeat (with TLS) 4 | ################################################################## 5 | beats { 6 | port => 5043 7 | ssl=> "true" 8 | ssl_certificate=>"/etc/pki/tls/certs/logstash-beats.crt" 9 | ssl_key=>"/etc/pki/tls/private/logstash-beats.key" 10 | } 11 | ################################################################## 12 | #Port 5044: Packetbeat (with TLS) 13 | ################################################################## 14 | beats { 15 | port => 5044 16 | ssl=> "true" 17 | ssl_certificate=>"/etc/pki/tls/certs/logstash-beats.crt" 18 | ssl_key=>"/etc/pki/tls/private/logstash-beats.key" 19 | } 20 | ################################################################## 21 | #Port 5045: Topbeat (with TLS) 22 | ################################################################## 23 | beats { 24 | port => 5045 25 | ssl=> "true" 26 | ssl_certificate=>"/etc/pki/tls/certs/logstash-beats.crt" 27 | ssl_key=>"/etc/pki/tls/private/logstash-beats.key" 28 | } 29 | ################################################################## 30 | #Port 5046: NXLog (Windows) 31 | ################################################################## 32 | tcp { 33 | codec => json_lines { charset => CP1252 } 34 | port => "3515" 35 | tags => [ "tcp_json_windows" ] 36 | } 37 | ################################################################## 38 | #Optional; 39 | #Port 9000: OSSEC to Logstash from ELK Host Server (this machine) 40 | ################################################################## 41 | #udp { 42 | # port => 9000 43 | # type => "syslog" 44 | #} 45 | ################################################################## 46 | #Optional: 47 | #Ping 48 | ################################################################## 49 | #exec { 50 | # command => "fping -C1 ip_to_ping_here" 51 | # interval => 30 52 | # type => "fping" 53 | # tags => [ "fping" ] 54 | # add_field => { "ping_target" => "hostname_of_ip_to_ping_here" } 55 | #} 56 | } #END input 57 | 58 | filter { 59 | if [fields][log_type] == "syslog" { 60 | grok { 61 | match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:pam_message} %{USER:pam_username} from %{SYSLOGHOST:syslog_hostname}" } 62 | } 63 | grok { 64 | match => { "message" => "Invalid user %{USER:username} from %{IP:src_ip}" } 65 | add_tag => [ "ssh_invalid_user" ] 66 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 67 | } 68 | grok { 69 | match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: Accepted keyboard-interactive/pam for %{USER:username} from %{IP:src_ip} port %{INT:src_port} ssh2" } 70 | add_tag => [ "ssh_plus_google_auth_success" ] 71 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 72 | } 73 | grok { 74 | match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: Failed password for %{USER:username} from %{IP:src_ip} port %{INT:src_port} ssh2" } 75 | add_tag => [ "ssh_failed_password" ] 76 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 77 | } 78 | grok { 79 | match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{WORD:host_single} %{SYSLOGPROG}: Accepted %{WORD:auth_method} for %{USER:username} from %{IP:src_ip} port %{INT:src_port} ssh2" } 80 | add_tag => [ "ssh_auth_success" ] 81 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 82 | } 83 | grok { 84 | match => { "message" => "%{SYSLOGPROG}: %{WORD:pam_type}\(%{DATA:pam_message}\): access denied for user `%{USER:pam_username}' from `%{SYSLOGHOST:syslog_hostname}'" } 85 | add_tag => [ "ssh_google_auth_failed" ] 86 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 87 | } 88 | grok { 89 | match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{WORD:host_single} %{SYSLOGPROG}\(%{DATA:pam_message}\)(?:\[%{POSINT:syslog_pid}\])?: Did not receive verification code from user" } 90 | add_tag => [ "ssh_google_auth_failed", "ssh_google_auth_no_verification_code" ] 91 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 92 | } 93 | grok { 94 | match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{WORD:host_single} %{SYSLOGPROG}\(%{DATA:pam_message}\)(?:\[%{POSINT:syslog_pid}\])?: Secret file %{QUOTEDSTRING:google_auth_secret_file_path} changed while trying to use scratch code" } 95 | add_tag => [ "ssh_google_auth_failed", "ssh_google_auth_scratch_code_error" ] 96 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 97 | } 98 | grok { 99 | match => { "message" => "Accepted %{DATA:pam_message} for %{USER:username} from %{IP:src_ip} port %{INT:src_port} ssh2" } 100 | add_tag => [ "ssh_auth_success" ] 101 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 102 | } 103 | grok { 104 | match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{WORD:host_single} %{SYSLOGPROG}: %{GREEDYDATA:ssh_session_closed_message} by %{IP:src_ip}" } 105 | add_tag => [ "ssh_logout" ] 106 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 107 | } 108 | grok { 109 | match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{WORD:host_single} %{SYSLOGPROG}: %{WORD:pam_type}\(%{DATA:pam_message}\): authentication failure; logname=%{DATA:logname} uid=%{BASE10NUM:uid} euid=%{BASE10NUM:euid} tty=%{DATA:tty} ruser=%{DATA:ruser} rhost=%{SYSLOGHOST:syslog_hostname} {1,2}user=%{USER:pam_username}" } 110 | add_tag => [ "ssh_auth_failed" ] 111 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 112 | } 113 | grok { 114 | match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{WORD:host_single} %{SYSLOGPROG}: error: PAM: Authentication failure for %{USER:pam_username} from %{SYSLOGHOST:syslog_hostname}" } 115 | add_tag => [ "ssh_auth_failed" ] 116 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 117 | } 118 | grok { 119 | match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{WORD:host_single} %{SYSLOGPROG}: %{WORD:pam_type}\(%{DATA:pam_message}\): session opened for user %{USER:pam_username} by \(uid=%{INT:pam_UID}\)" } 120 | add_tag => [ "ssh_session_opened" ] 121 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 122 | } 123 | grok { 124 | match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: Accepted publickey for %{USER:username} from %{IP:src_ip} port %{INT:src_port} ssh2" } 125 | add_tag => [ "ssh_accepted_publickey" ] 126 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 127 | } 128 | grok { 129 | match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{WORD:pam_type}\(%{DATA:pam_message}\): session closed for user %{USER:pam_username}" } 130 | add_tag => [ "ssh_logout"] 131 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 132 | } 133 | grok { 134 | match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: Received disconnect from %{IP:src_ip}: %{INT:pam_random}: disconnected by user" } 135 | add_tag => [ "ssh_disconnect" ] 136 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 137 | } 138 | grok { 139 | match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: new group: name=%{USER:pam_username}, GID=%{INT:pam_GID}" } 140 | add_tag => [ "linux_new_group" ] 141 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 142 | } 143 | grok { 144 | match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{WORD:host_single} %{SYSLOGPROG}: new user: name=%{USER:pam_username}, UID=%{INT:pam_UID}, GID=%{INT:pam_GID}, home=%{DATA:pam_home_path}, shell=%{DATA:pam_shell}" } 145 | add_tag => [ "linux_new_user"] 146 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 147 | } 148 | grok { 149 | match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{WORD:host_single} %{SYSLOGPROG}: %{WORD:pam_type}\(%{DATA:pam_message}\): password changed for %{USER:pam_username}" } 150 | add_tag => [ "linux_password_changed" ] 151 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 152 | } 153 | grok { 154 | match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{WORD:host_single} %{SYSLOGPROG}: delete user '%{USER:pam_username}'" } 155 | add_tag => [ "linux_delete_user" ] 156 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 157 | } 158 | grok { 159 | match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{WORD:sudo_word}: %{WORD:pam_type}\(%{DATA:pam_message}\): %{GREEDYDATA:sudo_message}; logname=%{DATA:logname} uid=%{BASE10NUM:uid} euid=%{BASE10NUM:euid} tty=%{DATA:tty} ruser=%{DATA:ruser} rhost=%{SYSLOGHOST:syslog_hostname} {1,2}user=%{USER:pam_username}" } 160 | add_tag => [ "linux_sudo_attempt"] 161 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 162 | } 163 | grok { 164 | match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{WORD:host_single} %{SYSLOGPROG}: removed group '%{DATA:pam_group}' owned by '%{USER:pam_username}'" } 165 | add_tag => [ "linux_removed_group" ] 166 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 167 | } 168 | grok { 169 | match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}: %{USER:priv_username}{1,2} : %{GREEDYDATA:priv_message}" } 170 | add_tag => [ "linux_privilege_attempt" ] 171 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 172 | } 173 | 174 | #temporarily removed on 11.5.15 because errors about nil host in logstash.err 175 | #dns { resolve => ["host"] action => "replace" } 176 | #mutate { add_tag => ["dns_resolve"] } 177 | 178 | geoip { 179 | source => "src_ip" 180 | target => "geoip" 181 | add_field => ["[geoip][coordinates]","%{[geoip][longitude]}"] 182 | add_field => ["[geoip][coordinates]","%{[geoip][latitude]}"] 183 | } 184 | mutate { 185 | convert => [ "[geoip][coordinates]", "float" ] 186 | } 187 | geoip { 188 | source => "host" 189 | target => "geoip" 190 | add_field => ["[geoip][coordinates]","%{[geoip][longitude]}"] 191 | add_field => ["[geoip][coordinates]","%{[geoip][latitude]}"] 192 | } 193 | mutate { 194 | convert => [ "[geoip][coordinates]", "float" ] 195 | } 196 | } 197 | 198 | if [fields][log_type] == "apache-access" { 199 | grok { 200 | match => { "message" => "%{COMBINEDAPACHELOG}" } 201 | } 202 | grok { 203 | match => { "message" => "%{IP:src_ip} - %{USER:basic_auth_user} (?:\[%{HTTPDATE}\])? %{QUOTEDSTRING:basic_auth_message} %{NUMBER:basic_auth_response} (?:%{NUMBER:basic_auth_bytes}|-)" } 204 | } 205 | if [basic_auth_response] == "401" and "-" not in [basic_auth_user] { 206 | mutate { 207 | add_tag => [ "basic_auth_failure" ] 208 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 209 | } 210 | } 211 | if [basic_auth_response] == "404" and "-" not in [basic_auth_user] { 212 | mutate { 213 | add_tag => [ "basic_auth_failure" ] 214 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 215 | } 216 | } 217 | if [basic_auth_response] == "200" and "-" not in [basic_auth_user] { 218 | mutate { 219 | add_tag => [ "basic_auth_success" ] 220 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 221 | } 222 | } 223 | geoip { 224 | source => "src_ip" 225 | target => "geoip" 226 | add_field => ["[geoip][coordinates]","%{[geoip][longitude]}"] 227 | add_field => ["[geoip][coordinates]","%{[geoip][latitude]}"] 228 | } 229 | mutate { 230 | convert => [ "[geoip][coordinates]", "float" ] 231 | } 232 | } 233 | 234 | if [fields][log_type] == "apache-error" { 235 | grok { 236 | match => { "message" => "\[(?%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] \[.*:%{LOGLEVEL:loglevel}\] \[pid %{NUMBER:pid}\] %{GREEDYDATA:errormsg} \[client %{IP:src_ip}:%{DATA:src_port}\] %{GREEDYDATA:errormsg}" } 237 | } 238 | grok { 239 | match => { "message" => "\[%{DATA:timestamp}\] \[%{LOGLEVEL:loglevel}\] (?:\[client %{IP:src_ip}\]) user %{USER:basic_auth_user} not found" } 240 | add_tag => [ "basic_auth_user_not_found"] 241 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 242 | } 243 | grok { 244 | match => { "message" => "\[%{DATA:timestamp}\] \[%{LOGLEVEL:loglevel}\] (?:\[client %{IP:src_ip}\]) user %{USER:basic_auth_user}: authentication failure %{GREEDYDATA:apache_errmsg}" } 245 | add_tag => [ "basic_auth_password_mismatch"] 246 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 247 | } 248 | geoip { 249 | source => "src_ip" 250 | target => "geoip" 251 | add_field => ["[geoip][coordinates]","%{[geoip][longitude]}"] 252 | add_field => ["[geoip][coordinates]","%{[geoip][latitude]}"] 253 | } 254 | mutate { 255 | convert => [ "[geoip][coordinates]", "float" ] 256 | } 257 | } 258 | 259 | if [fields][log_type] == "apache-ssl-access" { 260 | grok { 261 | match => { "message" => "%{IP:src_ip} - %{USER:basic_auth_user} (?:\[%{HTTPDATE}\])? %{QUOTEDSTRING:basic_auth_message} %{NUMBER:basic_auth_response} (?:%{NUMBER:basic_auth_bytes}|-)" } 262 | add_tag => [ "basic_auth_attempt"] 263 | } 264 | if [basic_auth_response] == "401" and "-" not in [basic_auth_user] { 265 | grok { 266 | match => { "message" => "%{IP:src_ip} - %{USER:basic_auth_user} (?:\[%{HTTPDATE}\])? %{QUOTEDSTRING:basic_auth_message} %{NUMBER:basic_auth_response} (?:%{NUMBER:basic_auth_bytes}|-)" } 267 | add_tag => [ "basic_auth_failure"] 268 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 269 | } 270 | } 271 | if [basic_auth_response] == "404" and "-" not in [basic_auth_user] { 272 | grok { 273 | match => { "message" => "%{IP:src_ip} - %{USER:basic_auth_user} (?:\[%{HTTPDATE}\])? %{QUOTEDSTRING:basic_auth_message} %{NUMBER:basic_auth_response} (?:%{NUMBER:basic_auth_bytes}|-)" } 274 | add_tag => [ "basic_auth_failure"] 275 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 276 | } 277 | } 278 | if [basic_auth_response] == "200" and "-" not in [basic_auth_user] { 279 | mutate { 280 | add_tag => [ "basic_auth_success" ] 281 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 282 | } 283 | } 284 | 285 | geoip { 286 | source => "src_ip" 287 | target => "geoip" 288 | add_field => ["[geoip][coordinates]","%{[geoip][longitude]}"] 289 | add_field => ["[geoip][coordinates]","%{[geoip][latitude]}"] 290 | } 291 | mutate { 292 | convert => [ "[geoip][coordinates]", "float" ] 293 | } 294 | } 295 | 296 | if [fields][log_type] == "shibboleth" { 297 | grok { 298 | match => [ "message", "%{SYSLOGTIMESTAMP:shib_event_timestamp} %{WORD:shib_notification_type} %{DATA:shib_trans_type}:\ New session \(ID: %{DATA:shib_session_id}\) with \(applicationId: %{DATA:shib_application_id}\) for principal from \(IdP: %{DATA:shib_IdP}\) at \(ClientAddress: %{IP:src_ip}\) with \(NameIdentifier: %{DATA:shib_name_identifier}\) using \(Protocol: %{DATA:shib_protocol}\) from \(AssertionID: %{DATA:shib_assertion_id}\)" ] 299 | } 300 | date { 301 | match => [ "time", "YYYY-MM-dd HH:mm:ss"] 302 | } 303 | geoip { 304 | source => "src_ip" 305 | target => "geoip" 306 | add_field => ["[geoip][coordinates]","%{[geoip][longitude]}"] 307 | add_field => ["[geoip][coordinates]","%{[geoip][latitude]}"] 308 | } 309 | mutate { 310 | convert => [ "[geoip][coordinates]", "float" ] 311 | } 312 | } 313 | 314 | if [fields][log_type] == "shibboleth-warn" { 315 | grok { 316 | match => [ "message", "%{SYSLOGTIMESTAMP:shib_warn_event_timestamp} %{WORD:shib_warn_notification_type} %{GREEDYDATA:shib_warn_message}" ] 317 | } 318 | date { 319 | match => [ "time", "YYYY-MM-dd HH:mm:ss"] 320 | } 321 | } 322 | 323 | if [fields][log_type] == "shib_logshipper" { 324 | grok { 325 | match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{GREEDYDATA:logshipper_source} %{WORD:logshipper_type1}: %{GREEDYDATA:logshipper_type2} %{INT:logshipper_timestamp} %{WORD:logshipper_shib_username} %{IP:src_ip}" } 326 | add_tag => [ "shib_logshipper"] 327 | remove_tag => [ "_jsonparsefailure", "_grokparsefailure", "_jsonparsefailure_grokparsefailure" ] 328 | } 329 | geoip { 330 | source => "src_ip" 331 | target => "geoip" 332 | add_field => ["[geoip][coordinates]","%{[geoip][longitude]}"] 333 | add_field => ["[geoip][coordinates]","%{[geoip][latitude]}"] 334 | } 335 | mutate { 336 | convert => [ "[geoip][coordinates]", "float" ] 337 | } 338 | } 339 | 340 | if [fields][log_type] == "deny-hosts" { 341 | grok { 342 | match => [ "message", "%{DATA:discard}\ %{SYSLOGTIMESTAMP:timestamp} %{YEAR} %{DATA:discard} %{IP:src_ip}" ] 343 | add_tag => "deny_hosts" 344 | remove_field => [ "%{discard}" ] 345 | } 346 | grok { 347 | match => [ "message", "%{TIMESTAMP_ISO8601:syslog_timestamp} - %{GREEDYDATA:denyhosts_status} \[%{DATA:denyhosts_denied_host}\]" ] 348 | add_tag => "deny_hosts" 349 | } 350 | date { 351 | match => [ "time", "MM dd HH:mm:ss YYYY"] 352 | } 353 | geoip { 354 | source => "src_ip" 355 | target => "geoip" 356 | add_field => ["[geoip][coordinates]","%{[geoip][longitude]}"] 357 | add_field => ["[geoip][coordinates]","%{[geoip][latitude]}"] 358 | } 359 | mutate { 360 | convert => [ "[geoip][coordinates]", "float" ] 361 | } 362 | } 363 | 364 | if [fields][log_type] == "yum" { 365 | grok { 366 | match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{DATA:yum_event}\: %{GREEDYDATA:yum_package}" } 367 | add_tag => [ "yum_events" ] 368 | } 369 | } 370 | 371 | if [fields][log_type] == "audit" { 372 | grok { 373 | match => { "message" => "type=%{WORD:audit_type} msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\): user pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_audid} ses=%{NUMBER:audit_ses} msg='op=%{DATA:audit_op} acct=%{QUOTEDSTRING:pam_username} exe=%{QUOTEDSTRING:audit_exe} hostname=%{DATA:src_ip} addr=%{DATA:src_ip} terminal=%{DATA:audit_terminal} res=%{DATA:audit_result}'" } 374 | add_tag => [ "audit_log" ] 375 | } 376 | geoip { 377 | source => "src_ip" 378 | target => "geoip" 379 | add_field => ["[geoip][coordinates]","%{[geoip][longitude]}"] 380 | add_field => ["[geoip][coordinates]","%{[geoip][latitude]}"] 381 | } 382 | mutate { 383 | convert => [ "[geoip][coordinates]", "float" ] 384 | } 385 | } 386 | 387 | if [fields][log_type] == "audit-commands" { 388 | grok { 389 | match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{WORD:host_single} %{USER:pam_username}: %{USER:pam_username} (?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:audit_command} (?:\[%{POSINT:audit_command_response}\])?" } 390 | add_tag => [ "audit_log_commands" ] 391 | } 392 | } 393 | 394 | ##################################################### 395 | #fping 396 | ##################################################### 397 | 398 | if "fping" in [tags] { 399 | grok { 400 | match => { "message" => "%{IP:ping_target_ip} : %{DATA:ping_int}, %{INT:ping_bytes} bytes, %{DATA:ping_ms} ms \(%{DATA:ping_avg} avg, %{INT:ping_loss}% loss\)" } 401 | } 402 | } #if 403 | 404 | if "fping" in [tags] and [ping_loss] == "0" { 405 | mutate { add_tag => "ping_loss_no" } 406 | } 407 | if "fping" in [tags] and [ping_loss] != "0" { 408 | mutate { add_tag => "ping_loss_yes" } 409 | } 410 | 411 | ######################################## 412 | #if you wanted to throttle events so 413 | #you only receive an event after 2 414 | #occurrences and you get no more than 415 | #3 in 10 minutes 416 | ######################################## 417 | 418 | if "ping_loss_yes" in [tags] { 419 | throttle{ 420 | period => 600 421 | before_count => 4 422 | after_count => 5 423 | key => "%{message}" 424 | add_tag => "AlertOnTag_ping_loss_yes" 425 | } 426 | 427 | } 428 | 429 | ##################################################### 430 | #port 9000: OSSEC 431 | ##################################################### 432 | 433 | if [type] == "syslog" { 434 | grok { 435 | match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}: Alert Level: %{NONNEGINT:Alert_Level}; Rule: %{NONNEGINT:Rule} - %{DATA:Description}; Location: %{DATA:Location}; (user: %{USER:User};%{SPACE})?(srcip: %{IP:Src_IP};%{SPACE})?(user: %{USER:User};%{SPACE})?(dstip: %{IP:Dst_IP};%{SPACE})?(src_port: %{NONNEGINT:Src_Port};%{SPACE})?(dst_port: %{NONNEGINT:Dst_Port};%{SPACE})?%{GREEDYDATA:Details}" } 436 | add_tag => [ "ossec"] 437 | add_field => [ "ossec_server", "%{host}" ] 438 | } 439 | mutate { 440 | remove_field => [ "message","syslog_timestamp", "syslog_program", "syslog_host", "syslog_message", "syslog_pid", "@version", "type", "host" ] 441 | } 442 | } 443 | 444 | ##################################################### 445 | #port 3515: NXLog 446 | ##################################################### 447 | if "tcp_json_windows" in [tags] { 448 | date { 449 | locale => "en" 450 | timezone => "Etc/GMT" 451 | match => [ "EventTime", "YYYY-MM-dd HH:mm:ss" ] 452 | } 453 | } 454 | 455 | ##################################################### 456 | #For all: remove certain items from [tags] 457 | ##################################################### 458 | if "_grokparsefailure" in [tags] { 459 | mutate { 460 | remove_tag => "_grokparsefailure" 461 | } 462 | } 463 | if "_jsonparsefailure" in [tags] { 464 | mutate { 465 | remove_tag => "_jsonparsefailure" 466 | } 467 | } 468 | if "_jsonparsefailure_grokparsefailure" in [tags] { 469 | mutate { 470 | remove_tag => "_jsonparsefailure_grokparsefailure" 471 | } 472 | } 473 | 474 | ##################################################### 475 | #Netflow: convert cisco message to standard message 476 | ##################################################### 477 | 478 | if "_grokparsefailure" not in [tags] { 479 | mutate { 480 | rename => ["cisco_message", "message"] 481 | remove_field => ["timestamp"] 482 | } 483 | } 484 | 485 | ################################################################## 486 | #If no Beat (e.g. - OSSEC input), define index as logstash 487 | ################################################################## 488 | if ! [@metadata][beat] { 489 | mutate { 490 | replace => [ '[@metadata][beat]', 'logstash' ] 491 | } 492 | } 493 | 494 | ################################################################## 495 | #Metrics 496 | #https://www.elastic.co/blog/logstash-configuration-tuning 497 | ################################################################## 498 | metrics { 499 | meter => "documents" 500 | add_tag => "metric" 501 | flush_interval => 60 502 | } 503 | 504 | }#END filter 505 | 506 | output { 507 | 508 | ################################################################## 509 | #Output to Elasticearch 510 | ################################################################## 511 | elasticsearch { 512 | hosts => "localhost:9200" 513 | manage_template => false 514 | index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" 515 | document_type => "%{[@metadata][type]}" 516 | } 517 | 518 | ################################################################## 519 | #Set standard out codec 520 | ################################################################## 521 | stdout { codec => rubydebug } 522 | 523 | ################################################################## 524 | #Logstash metrics 525 | ################################################################## 526 | 527 | 528 | if "metric" in [tags] { 529 | stdout { 530 | codec => line { 531 | format => "1m rate: %{documents.rate_1m} ( %{documents.count} )" 532 | } 533 | } 534 | } 535 | 536 | if "AlertOnTag_ping_loss_yes" in [tags] { 537 | email { 538 | from => "logstash.alert@nowhere.com" 539 | subject => "UCLA-ISO-ELK Alert: Host Down" 540 | to => "your_email_here" 541 | via => "smtp" 542 | body => "Host: UCLA-ISO-ELK Alert: Host down: %{ping_target}. Original event log entry: %{message}" 543 | htmlbody => "

UCLA-ISO-ELK Alert: Host down: %{ping_target}


Original event log entry:
%{message}

" 544 | } 545 | } 546 | 547 | 548 | } #END output -------------------------------------------------------------------------------- /kibana-searches.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "_id": "Cache-transactions", 4 | "_type": "search", 5 | "_source": { 6 | "sort": [ 7 | "@timestamp", 8 | "desc" 9 | ], 10 | "hits": 0, 11 | "description": "", 12 | "title": "Cache transactions", 13 | "version": 1, 14 | "kibanaSavedObjectMeta": { 15 | "searchSourceJSON": "{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"filter\":[],\"query\":{\"query_string\":{\"query\":\"type: redis\",\"analyze_wildcard\":true}}}" 16 | }, 17 | "columns": [ 18 | "type", 19 | "method", 20 | "path", 21 | "responsetime", 22 | "status" 23 | ] 24 | } 25 | }, 26 | { 27 | "_id": "DB-transactions", 28 | "_type": "search", 29 | "_source": { 30 | "sort": [ 31 | "@timestamp", 32 | "desc" 33 | ], 34 | "hits": 0, 35 | "description": "", 36 | "title": "DB transactions", 37 | "version": 1, 38 | "kibanaSavedObjectMeta": { 39 | "searchSourceJSON": "{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[],\"query\":{\"query_string\":{\"query\":\"type: mysql or type: pgsql or type: mongodb\",\"analyze_wildcard\":true}}}" 40 | }, 41 | "columns": [ 42 | "type", 43 | "method", 44 | "path", 45 | "responsetime", 46 | "status" 47 | ] 48 | } 49 | }, 50 | { 51 | "_id": "Default-Search", 52 | "_type": "search", 53 | "_source": { 54 | "sort": [ 55 | "@timestamp", 56 | "desc" 57 | ], 58 | "hits": 0, 59 | "description": "", 60 | "title": "Default Search", 61 | "version": 1, 62 | "kibanaSavedObjectMeta": { 63 | "searchSourceJSON": "{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[{\"meta\":{\"disabled\":false,\"index\":\"[packetbeat-]YYYY.MM.DD\",\"key\":\"type\",\"negate\":false,\"value\":\"mongodb\"},\"query\":{\"match\":{\"type\":{\"query\":\"mongodb\",\"type\":\"phrase\"}}}}],\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}" 64 | }, 65 | "columns": [ 66 | "method", 67 | "type", 68 | "path", 69 | "responsetime", 70 | "status", 71 | "query" 72 | ] 73 | } 74 | }, 75 | { 76 | "_id": "Errors", 77 | "_type": "search", 78 | "_source": { 79 | "sort": [ 80 | "@timestamp", 81 | "desc" 82 | ], 83 | "hits": 0, 84 | "description": "", 85 | "title": "Errors", 86 | "version": 1, 87 | "kibanaSavedObjectMeta": { 88 | "searchSourceJSON": "{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"filter\":[{\"meta\":{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"negate\":true,\"key\":\"status\",\"value\":\"OK\",\"disabled\":false},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}" 89 | }, 90 | "columns": [ 91 | "type", 92 | "method", 93 | "path", 94 | "responsetime", 95 | "status" 96 | ] 97 | } 98 | }, 99 | { 100 | "_id": "Filesystem-stats", 101 | "_type": "search", 102 | "_source": { 103 | "sort": [ 104 | "@timestamp", 105 | "desc" 106 | ], 107 | "hits": 0, 108 | "description": "", 109 | "title": "Filesystem stats", 110 | "version": 1, 111 | "kibanaSavedObjectMeta": { 112 | "searchSourceJSON": "{\"index\":\"[topbeat-]YYYY.MM.DD\",\"query\":{\"query_string\":{\"query\":\"type: filesystem\",\"analyze_wildcard\":true}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"filter\":[]}" 113 | }, 114 | "columns": [ 115 | "_source" 116 | ] 117 | } 118 | }, 119 | { 120 | "_id": "HTTP-errors", 121 | "_type": "search", 122 | "_source": { 123 | "sort": [ 124 | "@timestamp", 125 | "desc" 126 | ], 127 | "hits": 0, 128 | "description": "", 129 | "title": "HTTP errors", 130 | "version": 1, 131 | "kibanaSavedObjectMeta": { 132 | "searchSourceJSON": "{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"filter\":[{\"meta\":{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"negate\":false,\"key\":\"type\",\"value\":\"http\",\"disabled\":false},\"query\":{\"match\":{\"type\":{\"query\":\"http\",\"type\":\"phrase\"}}}},{\"meta\":{\"negate\":true,\"index\":\"[packetbeat-]YYYY.MM.DD\",\"key\":\"http.code\",\"value\":200,\"disabled\":false},\"query\":{\"match\":{\"http.code\":{\"query\":200,\"type\":\"phrase\"}}}}],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}" 133 | }, 134 | "columns": [ 135 | "type", 136 | "method", 137 | "path", 138 | "responsetime", 139 | "status" 140 | ] 141 | } 142 | }, 143 | { 144 | "_id": "MongoDB-errors", 145 | "_type": "search", 146 | "_source": { 147 | "sort": [ 148 | "@timestamp", 149 | "desc" 150 | ], 151 | "hits": 0, 152 | "description": "", 153 | "title": "MongoDB errors", 154 | "version": 1, 155 | "kibanaSavedObjectMeta": { 156 | "searchSourceJSON": "{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[{\"meta\":{\"disabled\":false,\"index\":\"[packetbeat-]YYYY.MM.DD\",\"key\":\"type\",\"negate\":false,\"value\":\"mongodb\"},\"query\":{\"match\":{\"type\":{\"query\":\"mongodb\",\"type\":\"phrase\"}}}},{\"meta\":{\"negate\":true,\"index\":\"[packetbeat-]YYYY.MM.DD\",\"key\":\"status\",\"value\":\"OK\",\"disabled\":false},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}" 157 | }, 158 | "columns": [ 159 | "method", 160 | "type", 161 | "path", 162 | "responsetime", 163 | "status", 164 | "query" 165 | ] 166 | } 167 | }, 168 | { 169 | "_id": "MongoDB-transactions", 170 | "_type": "search", 171 | "_source": { 172 | "sort": [ 173 | "@timestamp", 174 | "desc" 175 | ], 176 | "hits": 0, 177 | "description": "", 178 | "title": "MongoDB transactions", 179 | "version": 1, 180 | "kibanaSavedObjectMeta": { 181 | "searchSourceJSON": "{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[{\"meta\":{\"disabled\":false,\"index\":\"[packetbeat-]YYYY.MM.DD\",\"key\":\"type\",\"negate\":false,\"value\":\"mongodb\"},\"query\":{\"match\":{\"type\":{\"query\":\"mongodb\",\"type\":\"phrase\"}}}}],\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}" 182 | }, 183 | "columns": [ 184 | "method", 185 | "type", 186 | "path", 187 | "responsetime", 188 | "status", 189 | "query" 190 | ] 191 | } 192 | }, 193 | { 194 | "_id": "MongoDB-transactions-with-write-concern-0", 195 | "_type": "search", 196 | "_source": { 197 | "sort": [ 198 | "@timestamp", 199 | "desc" 200 | ], 201 | "hits": 0, 202 | "description": "", 203 | "title": "MongoDB transactions with write concern 0", 204 | "version": 1, 205 | "kibanaSavedObjectMeta": { 206 | "searchSourceJSON": "{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[{\"meta\":{\"disabled\":false,\"index\":\"[packetbeat-]YYYY.MM.DD\",\"key\":\"type\",\"negate\":false,\"value\":\"mongodb\"},\"query\":{\"match\":{\"type\":{\"query\":\"mongodb\",\"type\":\"phrase\"}}}}],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"request: \\\"writeConcern w 0\\\"\"}}}" 207 | }, 208 | "columns": [ 209 | "method", 210 | "type", 211 | "path", 212 | "responsetime", 213 | "status", 214 | "query" 215 | ] 216 | } 217 | }, 218 | { 219 | "_id": "MySQL-errors", 220 | "_type": "search", 221 | "_source": { 222 | "sort": [ 223 | "@timestamp", 224 | "desc" 225 | ], 226 | "hits": 0, 227 | "description": "", 228 | "title": "MySQL errors", 229 | "version": 1, 230 | "kibanaSavedObjectMeta": { 231 | "searchSourceJSON": "{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"filter\":[{\"meta\":{\"disabled\":false,\"index\":\"[packetbeat-]YYYY.MM.DD\",\"key\":\"type\",\"negate\":false,\"value\":\"mysql\"},\"query\":{\"match\":{\"type\":{\"query\":\"mysql\",\"type\":\"phrase\"}}}},{\"meta\":{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"negate\":true,\"key\":\"status\",\"value\":\"OK\",\"disabled\":false},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}" 232 | }, 233 | "columns": [ 234 | "method", 235 | "type", 236 | "path", 237 | "responsetime", 238 | "status" 239 | ] 240 | } 241 | }, 242 | { 243 | "_id": "MySQL-Transactions", 244 | "_type": "search", 245 | "_source": { 246 | "sort": [ 247 | "@timestamp", 248 | "desc" 249 | ], 250 | "hits": 0, 251 | "description": "", 252 | "title": "MySQL Transactions", 253 | "version": 1, 254 | "kibanaSavedObjectMeta": { 255 | "searchSourceJSON": "{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"filter\":[{\"meta\":{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"negate\":false,\"key\":\"type\",\"value\":\"mysql\",\"disabled\":false},\"query\":{\"match\":{\"type\":{\"query\":\"mysql\",\"type\":\"phrase\"}}}}],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}" 256 | }, 257 | "columns": [ 258 | "method", 259 | "type", 260 | "path", 261 | "responsetime", 262 | "status" 263 | ] 264 | } 265 | }, 266 | { 267 | "_id": "PgSQL-errors", 268 | "_type": "search", 269 | "_source": { 270 | "sort": [ 271 | "@timestamp", 272 | "desc" 273 | ], 274 | "hits": 0, 275 | "description": "", 276 | "title": "PgSQL errors", 277 | "version": 1, 278 | "kibanaSavedObjectMeta": { 279 | "searchSourceJSON": "{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"filter\":[{\"meta\":{\"disabled\":false,\"index\":\"[packetbeat-]YYYY.MM.DD\",\"key\":\"type\",\"negate\":false,\"value\":\"pgsql\"},\"query\":{\"match\":{\"type\":{\"query\":\"pgsql\",\"type\":\"phrase\"}}}},{\"meta\":{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"negate\":true,\"key\":\"status\",\"value\":\"OK\",\"disabled\":false},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}" 280 | }, 281 | "columns": [ 282 | "method", 283 | "type", 284 | "path", 285 | "responsetime", 286 | "status" 287 | ] 288 | } 289 | }, 290 | { 291 | "_id": "PgSQL-transactions", 292 | "_type": "search", 293 | "_source": { 294 | "sort": [ 295 | "@timestamp", 296 | "desc" 297 | ], 298 | "hits": 0, 299 | "description": "", 300 | "title": "PgSQL transactions", 301 | "version": 1, 302 | "kibanaSavedObjectMeta": { 303 | "searchSourceJSON": "{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"filter\":[{\"meta\":{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"negate\":false,\"key\":\"type\",\"value\":\"pgsql\",\"disabled\":false},\"query\":{\"match\":{\"type\":{\"query\":\"pgsql\",\"type\":\"phrase\"}}}}],\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}" 304 | }, 305 | "columns": [ 306 | "method", 307 | "type", 308 | "path", 309 | "responsetime", 310 | "status" 311 | ] 312 | } 313 | }, 314 | { 315 | "_id": "Processes", 316 | "_type": "search", 317 | "_source": { 318 | "sort": [ 319 | "@timestamp", 320 | "desc" 321 | ], 322 | "hits": 0, 323 | "description": "", 324 | "title": "Processes", 325 | "version": 1, 326 | "kibanaSavedObjectMeta": { 327 | "searchSourceJSON": "{\"index\":\"[topbeat-]YYYY.MM.DD\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[{\"meta\":{\"negate\":false,\"index\":\"[topbeat-]YYYY.MM.DD\",\"key\":\"type\",\"value\":\"proc\",\"disabled\":false},\"query\":{\"match\":{\"type\":{\"query\":\"proc\",\"type\":\"phrase\"}}}}]}" 328 | }, 329 | "columns": [ 330 | "proc.name", 331 | "proc.cpu.user_p", 332 | "proc.mem.rss_p", 333 | "proc.mem.rss", 334 | "proc.state", 335 | "proc.cpu.start_time" 336 | ] 337 | } 338 | }, 339 | { 340 | "_id": "Proc-stats", 341 | "_type": "search", 342 | "_source": { 343 | "sort": [ 344 | "@timestamp", 345 | "desc" 346 | ], 347 | "hits": 0, 348 | "description": "", 349 | "title": "Proc stats", 350 | "version": 1, 351 | "kibanaSavedObjectMeta": { 352 | "searchSourceJSON": "{\"index\":\"[topbeat-]YYYY.MM.DD\",\"query\":{\"query_string\":{\"query\":\"type: process\",\"analyze_wildcard\":true}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"filter\":[]}" 353 | }, 354 | "columns": [ 355 | "_source" 356 | ] 357 | } 358 | }, 359 | { 360 | "_id": "RPC-transactions", 361 | "_type": "search", 362 | "_source": { 363 | "sort": [ 364 | "@timestamp", 365 | "desc" 366 | ], 367 | "hits": 0, 368 | "description": "", 369 | "title": "RPC transactions", 370 | "version": 1, 371 | "kibanaSavedObjectMeta": { 372 | "searchSourceJSON": "{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"filter\":[],\"query\":{\"query_string\":{\"query\":\"type: thrift\",\"analyze_wildcard\":true}}}" 373 | }, 374 | "columns": [ 375 | "type", 376 | "method", 377 | "path", 378 | "responsetime", 379 | "status" 380 | ] 381 | } 382 | }, 383 | { 384 | "_id": "System-stats", 385 | "_type": "search", 386 | "_source": { 387 | "sort": [ 388 | "@timestamp", 389 | "desc" 390 | ], 391 | "hits": 0, 392 | "description": "", 393 | "title": "System stats", 394 | "version": 1, 395 | "kibanaSavedObjectMeta": { 396 | "searchSourceJSON": "{\"index\":\"[topbeat-]YYYY.MM.DD\",\"query\":{\"query_string\":{\"query\":\"type: system\",\"analyze_wildcard\":true}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"filter\":[]}" 397 | }, 398 | "columns": [ 399 | "_source" 400 | ] 401 | } 402 | }, 403 | { 404 | "_id": "System-wide", 405 | "_type": "search", 406 | "_source": { 407 | "sort": [ 408 | "@timestamp", 409 | "desc" 410 | ], 411 | "hits": 0, 412 | "description": "", 413 | "title": "System wide", 414 | "version": 1, 415 | "kibanaSavedObjectMeta": { 416 | "searchSourceJSON": "{\"index\":\"[topbeat-]YYYY.MM.DD\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[{\"meta\":{\"negate\":false,\"index\":\"[topbeat-]YYYY.MM.DD\",\"key\":\"type\",\"value\":\"system\",\"disabled\":false},\"query\":{\"match\":{\"type\":{\"query\":\"system\",\"type\":\"phrase\"}}}}]}" 417 | }, 418 | "columns": [ 419 | "beat.name", 420 | "cpu.user_p", 421 | "cpu.steal", 422 | "load.load1", 423 | "load.load5", 424 | "mem.used", 425 | "mem.used_p" 426 | ] 427 | } 428 | }, 429 | { 430 | "_id": "Thrift-errors", 431 | "_type": "search", 432 | "_source": { 433 | "sort": [ 434 | "@timestamp", 435 | "desc" 436 | ], 437 | "hits": 0, 438 | "description": "", 439 | "title": "Thrift errors", 440 | "version": 1, 441 | "kibanaSavedObjectMeta": { 442 | "searchSourceJSON": "{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"filter\":[{\"meta\":{\"disabled\":false,\"index\":\"[packetbeat-]YYYY.MM.DD\",\"key\":\"type\",\"negate\":false,\"value\":\"thrift\"},\"query\":{\"match\":{\"type\":{\"query\":\"thrift\",\"type\":\"phrase\"}}}},{\"meta\":{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"negate\":true,\"key\":\"status\",\"value\":\"OK\",\"disabled\":false},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"type: thrift\"}}}" 443 | }, 444 | "columns": [ 445 | "method", 446 | "type", 447 | "path", 448 | "responsetime", 449 | "status" 450 | ] 451 | } 452 | }, 453 | { 454 | "_id": "Thrift-transactions", 455 | "_type": "search", 456 | "_source": { 457 | "sort": [ 458 | "@timestamp", 459 | "desc" 460 | ], 461 | "hits": 0, 462 | "description": "", 463 | "title": "Thrift transactions", 464 | "version": 1, 465 | "kibanaSavedObjectMeta": { 466 | "searchSourceJSON": "{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"filter\":[{\"meta\":{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"negate\":false,\"key\":\"type\",\"value\":\"thrift\",\"disabled\":false},\"query\":{\"match\":{\"type\":{\"query\":\"thrift\",\"type\":\"phrase\"}}}}],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"type: thrift\"}}}" 467 | }, 468 | "columns": [ 469 | "method", 470 | "type", 471 | "path", 472 | "responsetime", 473 | "status" 474 | ] 475 | } 476 | }, 477 | { 478 | "_id": "Web-transactions", 479 | "_type": "search", 480 | "_source": { 481 | "sort": [ 482 | "@timestamp", 483 | "desc" 484 | ], 485 | "hits": 0, 486 | "description": "", 487 | "title": "Web transactions", 488 | "version": 1, 489 | "kibanaSavedObjectMeta": { 490 | "searchSourceJSON": "{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"filter\":[{\"meta\":{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"negate\":false,\"key\":\"type\",\"value\":\"http\",\"disabled\":false},\"query\":{\"match\":{\"type\":{\"query\":\"http\",\"type\":\"phrase\"}}}}],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}" 491 | }, 492 | "columns": [ 493 | "type", 494 | "method", 495 | "path", 496 | "responsetime", 497 | "status" 498 | ] 499 | } 500 | }, 501 | { 502 | "_id": "NXLog:-Windows-Software:-Installation-and-Updates", 503 | "_type": "search", 504 | "_source": { 505 | "title": "NXLog: Windows Software: Installation and Updates", 506 | "description": "", 507 | "hits": 0, 508 | "columns": [ 509 | "_source" 510 | ], 511 | "sort": [ 512 | "@timestamp", 513 | "desc" 514 | ], 515 | "version": 1, 516 | "kibanaSavedObjectMeta": { 517 | "searchSourceJSON": "{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"tags:tcp_json_windows AND \\\"Installation Successful\\\"\",\"analyze_wildcard\":true}}}" 518 | } 519 | } 520 | }, 521 | { 522 | "_id": "OSSEC:-Changed-File-(Linux)", 523 | "_type": "search", 524 | "_source": { 525 | "title": "OSSEC: Changed File (Linux)", 526 | "description": "", 527 | "hits": 0, 528 | "columns": [ 529 | "ossec_modified_file", 530 | "ossec_host_fqdn", 531 | "Details" 532 | ], 533 | "sort": [ 534 | "@timestamp", 535 | "desc" 536 | ], 537 | "version": 1, 538 | "kibanaSavedObjectMeta": { 539 | "searchSourceJSON": "{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"\\\"Integrity checksum changed\\\"\",\"analyze_wildcard\":true}}}" 540 | } 541 | } 542 | }, 543 | { 544 | "_id": "OSSEC:-All-Alerts", 545 | "_type": "search", 546 | "_source": { 547 | "title": "OSSEC: All Alerts", 548 | "description": "", 549 | "hits": 0, 550 | "columns": [ 551 | "Alert_Level", 552 | "ossec_host_fqdn", 553 | "ossec_host_ip", 554 | "Src_IP", 555 | "Description", 556 | "Rule" 557 | ], 558 | "sort": [ 559 | "@timestamp", 560 | "desc" 561 | ], 562 | "version": 1, 563 | "kibanaSavedObjectMeta": { 564 | "searchSourceJSON": "{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"* -(iam-shb-*)\",\"analyze_wildcard\":true}}}" 565 | } 566 | } 567 | }, 568 | { 569 | "_id": "OSSEC-General-Search", 570 | "_type": "search", 571 | "_source": { 572 | "title": "OSSEC - General Search", 573 | "description": "", 574 | "hits": 0, 575 | "columns": [ 576 | "Alert_Level", 577 | "ossec_host_fqdn", 578 | "ossec_host_ip", 579 | "Details" 580 | ], 581 | "sort": [ 582 | "@timestamp", 583 | "desc" 584 | ], 585 | "version": 1, 586 | "kibanaSavedObjectMeta": { 587 | "searchSourceJSON": "{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}" 588 | } 589 | } 590 | }, 591 | { 592 | "_id": "Linux:-User-and-Group-Events", 593 | "_type": "search", 594 | "_source": { 595 | "title": "Linux: User and Group Events", 596 | "description": "", 597 | "hits": 0, 598 | "columns": [ 599 | "pam_username", 600 | "tags", 601 | "pam_message", 602 | "message" 603 | ], 604 | "sort": [ 605 | "@timestamp", 606 | "desc" 607 | ], 608 | "version": 1, 609 | "kibanaSavedObjectMeta": { 610 | "searchSourceJSON": "{\"index\":\"[filebeat-]YYYY.MM.DD\",\"query\":{\"query_string\":{\"query\":\"tags:\\\"linux_new_group\\\" tags:\\\"linux_new_user\\\" tags:\\\"linux_password_changed\\\" tags:\\\"linux_delete_user\\\" tags:\\\"linux_removed_group\\\"\",\"analyze_wildcard\":true}},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}" 611 | } 612 | } 613 | }, 614 | { 615 | "_id": "UCLA-Netflow", 616 | "_type": "search", 617 | "_source": { 618 | "title": "UCLA Netflow", 619 | "description": "", 620 | "hits": 0, 621 | "columns": [ 622 | "netflow.in_bytes", 623 | "netflow.ipv4_src_addr", 624 | "netflow.ipv4_dst_addr", 625 | "tags", 626 | "netflow.l4_src_port", 627 | "netflow.l4_dst_port", 628 | "src_geoip.country_name", 629 | "dst_geoip.country_name" 630 | ], 631 | "sort": [ 632 | "netflow.in_bytes", 633 | "desc" 634 | ], 635 | "version": 1, 636 | "kibanaSavedObjectMeta": { 637 | "searchSourceJSON": "{\"index\":\"logstash-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"tags:src_ucla_* tags:dst_ucla_*\"}},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}" 638 | } 639 | } 640 | } 641 | ] -------------------------------------------------------------------------------- /kibana-visualizations.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "_id": "CPU-usage-per-process", 4 | "_type": "visualization", 5 | "_source": { 6 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":false,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"proc.cpu.user_p\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"proc.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 7 | "description": "", 8 | "title": "CPU usage per process", 9 | "version": 1, 10 | "savedSearchId": "Proc-stats", 11 | "kibanaSavedObjectMeta": { 12 | "searchSourceJSON": "{\"filter\":[]}" 13 | } 14 | } 15 | }, 16 | { 17 | "_id": "DB-transactions", 18 | "_type": "visualization", 19 | "_source": { 20 | "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"type\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 21 | "description": "", 22 | "title": "DB transactions", 23 | "version": 1, 24 | "savedSearchId": "DB-transactions", 25 | "kibanaSavedObjectMeta": { 26 | "searchSourceJSON": "{\"filter\":[]}" 27 | } 28 | } 29 | }, 30 | { 31 | "_id": "Disk-usage", 32 | "_type": "visualization", 33 | "_source": { 34 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"fs.used\"}},{\"id\":\"2\",\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"fs.used_p\"}},{\"id\":\"3\",\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"fs.total\"}},{\"id\":\"4\",\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"fs.free\"}},{\"id\":\"5\",\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"fs.free\"}},{\"id\":\"6\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"fs.device_name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"7\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"fs.mount_point\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 35 | "description": "", 36 | "title": "Disk usage", 37 | "version": 1, 38 | "savedSearchId": "Filesystem-stats", 39 | "kibanaSavedObjectMeta": { 40 | "searchSourceJSON": "{\"filter\":[]}" 41 | } 42 | } 43 | }, 44 | { 45 | "_id": "Disk-usage-overview", 46 | "_type": "visualization", 47 | "_source": { 48 | "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"fs.used_p\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"beat.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 49 | "description": "", 50 | "title": "Disk usage overview", 51 | "version": 1, 52 | "savedSearchId": "Filesystem-stats", 53 | "kibanaSavedObjectMeta": { 54 | "searchSourceJSON": "{\"filter\":[]}" 55 | } 56 | } 57 | }, 58 | { 59 | "_id": "Errors-count-over-time", 60 | "_type": "visualization", 61 | "_source": { 62 | "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"type\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 63 | "description": "", 64 | "title": "Errors count over time", 65 | "version": 1, 66 | "savedSearchId": "Errors", 67 | "kibanaSavedObjectMeta": { 68 | "searchSourceJSON": "{\"filter\":[]}" 69 | } 70 | } 71 | }, 72 | { 73 | "_id": "Errors-vs-successful-transactions", 74 | "_type": "visualization", 75 | "_source": { 76 | "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"mode\":\"percentage\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"status\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 77 | "kibanaSavedObjectMeta": { 78 | "searchSourceJSON": "{\"filter\":[],\"index\":\"[packetbeat-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}" 79 | }, 80 | "version": 1, 81 | "description": "", 82 | "title": "Errors vs successful transactions" 83 | } 84 | }, 85 | { 86 | "_id": "Evolution-of-the-CPU-times-per-process", 87 | "_type": "visualization", 88 | "_source": { 89 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":false,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"proc.cpu.user_p\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"s\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"proc.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 90 | "description": "", 91 | "title": "Evolution of the CPU times per process", 92 | "version": 1, 93 | "savedSearchId": "Processes", 94 | "kibanaSavedObjectMeta": { 95 | "searchSourceJSON": "{\"filter\":[]}" 96 | } 97 | } 98 | }, 99 | { 100 | "_id": "HTTP-codes-for-the-top-queries", 101 | "_type": "visualization", 102 | "_source": { 103 | "visState": "{\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"query\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"row\":false}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http.code\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 104 | "description": "", 105 | "title": "HTTP codes for the top queries", 106 | "version": 1, 107 | "savedSearchId": "Web-transactions", 108 | "kibanaSavedObjectMeta": { 109 | "searchSourceJSON": "{\"filter\":[]}" 110 | } 111 | } 112 | }, 113 | { 114 | "_id": "HTTP-error-codes-evolution", 115 | "_type": "visualization", 116 | "_source": { 117 | "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{\"field\":\"count\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"http.code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"defaultYExtents\":false,\"shareYAxis\":true},\"type\":\"line\"}", 118 | "kibanaSavedObjectMeta": { 119 | "searchSourceJSON": "{\"filter\":[{\"meta\":{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"negate\":false,\"key\":\"type\",\"value\":\"http\",\"disabled\":false},\"query\":{\"match\":{\"type\":{\"query\":\"http\",\"type\":\"phrase\"}}}}],\"index\":\"[packetbeat-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"query\":{\"query_string\":{\"query\":\"!http.code: [200 TO 299]\",\"analyze_wildcard\":true}}}" 120 | }, 121 | "version": 1, 122 | "description": "", 123 | "title": "HTTP error codes evolution" 124 | } 125 | }, 126 | { 127 | "_id": "HTTP-error-codes", 128 | "_type": "visualization", 129 | "_source": { 130 | "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":false,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http.code\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 131 | "kibanaSavedObjectMeta": { 132 | "searchSourceJSON": "{\"filter\":[{\"meta\":{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"negate\":false,\"key\":\"type\",\"value\":\"http\",\"disabled\":false},\"query\":{\"match\":{\"type\":{\"query\":\"http\",\"type\":\"phrase\"}}}}],\"index\":\"[packetbeat-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"query\":{\"query_string\":{\"query\":\"http.code: [300 TO *]\",\"analyze_wildcard\":true}}}" 133 | }, 134 | "version": 1, 135 | "description": "", 136 | "title": "HTTP error codes" 137 | } 138 | }, 139 | { 140 | "_id": "Latency-histogram", 141 | "_type": "visualization", 142 | "_source": { 143 | "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":false,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"responsetime\",\"interval\":10,\"min_doc_count\":false,\"extended_bounds\":{}}}],\"listeners\":{}}", 144 | "kibanaSavedObjectMeta": { 145 | "searchSourceJSON": "{\"index\":\"[packetbeat-]YYYY.MM.DD\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 146 | }, 147 | "version": 1, 148 | "description": "", 149 | "title": "Latency histogram" 150 | } 151 | }, 152 | { 153 | "_id": "Memory-usage", 154 | "_type": "visualization", 155 | "_source": { 156 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":false,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"mem.used_p\"}},{\"id\":\"2\",\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"swap.used_p\"}},{\"id\":\"3\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", 157 | "description": "", 158 | "title": "Memory usage", 159 | "version": 1, 160 | "savedSearchId": "System-stats", 161 | "kibanaSavedObjectMeta": { 162 | "searchSourceJSON": "{\"filter\":[]}" 163 | } 164 | } 165 | }, 166 | { 167 | "_id": "Memory-usage-per-process", 168 | "_type": "visualization", 169 | "_source": { 170 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":false,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"proc.mem.rss_p\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"proc.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 171 | "description": "", 172 | "title": "Memory usage per process", 173 | "version": 1, 174 | "savedSearchId": "Proc-stats", 175 | "kibanaSavedObjectMeta": { 176 | "searchSourceJSON": "{\"filter\":[]}" 177 | } 178 | } 179 | }, 180 | { 181 | "_id": "MongoDB-commands", 182 | "_type": "visualization", 183 | "_source": { 184 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":true,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"silhouette\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"method\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 185 | "description": "", 186 | "title": "MongoDB commands", 187 | "version": 1, 188 | "savedSearchId": "MongoDB-transactions", 189 | "kibanaSavedObjectMeta": { 190 | "searchSourceJSON": "{\"filter\":[]}" 191 | } 192 | } 193 | }, 194 | { 195 | "_id": "MongoDB-errors", 196 | "_type": "visualization", 197 | "_source": { 198 | "visState": "{\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"radiusRatio\":9,\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"spyPerPage\":10,\"times\":[],\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"resource\",\"size\":3,\"order\":\"desc\",\"orderBy\":\"1\",\"row\":true}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"method\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 199 | "description": "", 200 | "title": "MongoDB errors", 201 | "version": 1, 202 | "savedSearchId": "MongoDB-errors", 203 | "kibanaSavedObjectMeta": { 204 | "searchSourceJSON": "{\"filter\":[]}" 205 | } 206 | } 207 | }, 208 | { 209 | "_id": "MongoDB-errors-per-collection", 210 | "_type": "visualization", 211 | "_source": { 212 | "visState": "{\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"radiusRatio\":9,\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"spyPerPage\":10,\"times\":[],\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"resource\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 213 | "description": "", 214 | "title": "MongoDB errors per collection", 215 | "version": 1, 216 | "savedSearchId": "MongoDB-errors", 217 | "kibanaSavedObjectMeta": { 218 | "searchSourceJSON": "{\"filter\":[]}" 219 | } 220 | } 221 | }, 222 | { 223 | "_id": "MongoDB-in-slash-out-throughput", 224 | "_type": "visualization", 225 | "_source": { 226 | "visState": "{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"bytes_in\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"4\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"bytes_out\"}}],\"listeners\":{}}", 227 | "description": "", 228 | "title": "MongoDB in/out throughput", 229 | "version": 1, 230 | "savedSearchId": "MongoDB-transactions", 231 | "kibanaSavedObjectMeta": { 232 | "searchSourceJSON": "{\"filter\":[]}" 233 | } 234 | } 235 | }, 236 | { 237 | "_id": "MongoDB-response-times-and-count", 238 | "_type": "visualization", 239 | "_source": { 240 | "visState": "{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":false,\"radiusRatio\":\"9\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"percentiles\",\"schema\":\"metric\",\"params\":{\"field\":\"responsetime\",\"percents\":[99]}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"resource\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1.99\"}},{\"id\":\"4\",\"type\":\"sum\",\"schema\":\"radius\",\"params\":{\"field\":\"count\"}}],\"listeners\":{}}", 241 | "description": "", 242 | "title": "MongoDB response times and count", 243 | "version": 1, 244 | "savedSearchId": "MongoDB-transactions", 245 | "kibanaSavedObjectMeta": { 246 | "searchSourceJSON": "{\"filter\":[]}" 247 | } 248 | } 249 | }, 250 | { 251 | "_id": "MongoDB-response-times-by-collection", 252 | "_type": "visualization", 253 | "_source": { 254 | "visState": "{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":false,\"radiusRatio\":\"9\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"percentiles\",\"schema\":\"metric\",\"params\":{\"field\":\"responsetime\",\"percents\":[99]}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"resource\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1.99\"}},{\"id\":\"4\",\"type\":\"sum\",\"schema\":\"radius\",\"params\":{\"field\":\"count\"}}],\"listeners\":{}}", 255 | "description": "", 256 | "title": "MongoDB response times by collection", 257 | "version": 1, 258 | "savedSearchId": "MongoDB-transactions", 259 | "kibanaSavedObjectMeta": { 260 | "searchSourceJSON": "{\"filter\":[]}" 261 | } 262 | } 263 | }, 264 | { 265 | "_id": "Most-frequent-MySQL-queries", 266 | "_type": "visualization", 267 | "_source": { 268 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 269 | "description": "", 270 | "title": "Most frequent MySQL queries", 271 | "version": 1, 272 | "savedSearchId": "MySQL-Transactions", 273 | "kibanaSavedObjectMeta": { 274 | "searchSourceJSON": "{\"filter\":[]}" 275 | } 276 | } 277 | }, 278 | { 279 | "_id": "Most-frequent-PgSQL-queries", 280 | "_type": "visualization", 281 | "_source": { 282 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 283 | "description": "", 284 | "title": "Most frequent PgSQL queries", 285 | "version": 1, 286 | "savedSearchId": "PgSQL-transactions", 287 | "kibanaSavedObjectMeta": { 288 | "searchSourceJSON": "{\"filter\":[]}" 289 | } 290 | } 291 | }, 292 | { 293 | "_id": "MySQL-Errors", 294 | "_type": "visualization", 295 | "_source": { 296 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":false,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", 297 | "description": "", 298 | "title": "MySQL Errors", 299 | "version": 1, 300 | "savedSearchId": "MySQL-errors", 301 | "kibanaSavedObjectMeta": { 302 | "searchSourceJSON": "{\"filter\":[]}" 303 | } 304 | } 305 | }, 306 | { 307 | "_id": "MySQL-Methods", 308 | "_type": "visualization", 309 | "_source": { 310 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"mode\":\"wiggle\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"method\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 311 | "description": "", 312 | "title": "MySQL Methods", 313 | "version": 1, 314 | "savedSearchId": "MySQL-Transactions", 315 | "kibanaSavedObjectMeta": { 316 | "searchSourceJSON": "{\"filter\":[]}" 317 | } 318 | } 319 | }, 320 | { 321 | "_id": "MySQL-Reads-vs-Writes", 322 | "_type": "visualization", 323 | "_source": { 324 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"method: SELECT\",\"analyze_wildcard\":true}}}},{\"input\":{\"query\":{\"query_string\":{\"query\":\"method: INSERT or method: UPDATE or method: DELETE\",\"analyze_wildcard\":true}}}}]}}],\"listeners\":{}}", 325 | "description": "", 326 | "title": "MySQL Reads vs Writes", 327 | "version": 1, 328 | "savedSearchId": "MySQL-Transactions", 329 | "kibanaSavedObjectMeta": { 330 | "searchSourceJSON": "{\"filter\":[]}" 331 | } 332 | } 333 | }, 334 | { 335 | "_id": "Mysql-response-times-percentiles", 336 | "_type": "visualization", 337 | "_source": { 338 | "visState": "{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"percentiles\",\"schema\":\"metric\",\"params\":{\"field\":\"responsetime\",\"percents\":[75,99,99.5]}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", 339 | "description": "", 340 | "title": "Mysql response times percentiles", 341 | "version": 1, 342 | "savedSearchId": "MySQL-Transactions", 343 | "kibanaSavedObjectMeta": { 344 | "searchSourceJSON": "{\"filter\":[]}" 345 | } 346 | } 347 | }, 348 | { 349 | "_id": "MySQL-throughput", 350 | "_type": "visualization", 351 | "_source": { 352 | "visState": "{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"bytes_out\"}},{\"id\":\"3\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"bytes_in\"}},{\"id\":\"4\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", 353 | "description": "", 354 | "title": "MySQL throughput", 355 | "version": 1, 356 | "savedSearchId": "MySQL-Transactions", 357 | "kibanaSavedObjectMeta": { 358 | "searchSourceJSON": "{\"filter\":[]}" 359 | } 360 | } 361 | }, 362 | { 363 | "_id": "Navigation", 364 | "_type": "visualization", 365 | "_source": { 366 | "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"###Packetbeat:\\n\\n[Dashboard](/#/dashboard/Packetbeat-Dashboard)\\n\\n[Web transactions](/#/dashboard/HTTP)\\n\\n[MySQL performance](/#/dashboard/MySQL-performance)\\n\\n[PostgreSQL performance](/#/dashboard/PgSQL-performance)\\n\\n[MongoDB performance](/#/dashboard/MongoDB-performance)\\n\\n[Thrift-RPC performance](/#/dashboard/Thrift-performance)\\n\\n###Topbeat:\\n\\n[Dashboard](/#/dashboard/Topbeat-Dashboard)\"},\"type\":\"markdown\"}", 367 | "kibanaSavedObjectMeta": { 368 | "searchSourceJSON": "{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}" 369 | }, 370 | "version": 1, 371 | "description": "", 372 | "title": "Navigation" 373 | } 374 | }, 375 | { 376 | "_id": "Number-of-MongoDB-transactions-with-writeConcern-w-equal-0", 377 | "_type": "visualization", 378 | "_source": { 379 | "visState": "{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"count\",\"schema\":\"radius\",\"params\":{}}],\"listeners\":{}}", 380 | "description": "", 381 | "title": "Number of MongoDB transactions with writeConcern w=0", 382 | "version": 1, 383 | "savedSearchId": "MongoDB-transactions-with-write-concern-0", 384 | "kibanaSavedObjectMeta": { 385 | "searchSourceJSON": "{\"filter\":[]}" 386 | } 387 | } 388 | }, 389 | { 390 | "_id": "PgSQL-Errors", 391 | "_type": "visualization", 392 | "_source": { 393 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":false,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", 394 | "description": "", 395 | "title": "PgSQL Errors", 396 | "version": 1, 397 | "savedSearchId": "PgSQL-errors", 398 | "kibanaSavedObjectMeta": { 399 | "searchSourceJSON": "{\"filter\":[]}" 400 | } 401 | } 402 | }, 403 | { 404 | "_id": "PgSQL-Methods", 405 | "_type": "visualization", 406 | "_source": { 407 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"mode\":\"wiggle\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"method\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 408 | "description": "", 409 | "title": "PgSQL Methods", 410 | "version": 1, 411 | "savedSearchId": "PgSQL-transactions", 412 | "kibanaSavedObjectMeta": { 413 | "searchSourceJSON": "{\"filter\":[]}" 414 | } 415 | } 416 | }, 417 | { 418 | "_id": "PgSQL-Reads-vs-Writes", 419 | "_type": "visualization", 420 | "_source": { 421 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"method: SELECT\",\"analyze_wildcard\":true}}}},{\"input\":{\"query\":{\"query_string\":{\"query\":\"method: INSERT or method: UPDATE or method: DELETE\",\"analyze_wildcard\":true}}}}]}}],\"listeners\":{}}", 422 | "description": "", 423 | "title": "PgSQL Reads vs Writes", 424 | "version": 1, 425 | "savedSearchId": "PgSQL-transactions", 426 | "kibanaSavedObjectMeta": { 427 | "searchSourceJSON": "{\"filter\":[]}" 428 | } 429 | } 430 | }, 431 | { 432 | "_id": "PgSQL-response-times-percentiles", 433 | "_type": "visualization", 434 | "_source": { 435 | "visState": "{\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"defaultYExtents\":false,\"shareYAxis\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"percentiles\",\"schema\":\"metric\",\"params\":{\"field\":\"responsetime\",\"percents\":[75,99,99.5]}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", 436 | "description": "", 437 | "title": "PgSQL response times percentiles", 438 | "version": 1, 439 | "savedSearchId": "PgSQL-transactions", 440 | "kibanaSavedObjectMeta": { 441 | "searchSourceJSON": "{\"filter\":[]}" 442 | } 443 | } 444 | }, 445 | { 446 | "_id": "PgSQL-throughput", 447 | "_type": "visualization", 448 | "_source": { 449 | "visState": "{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"bytes_out\"}},{\"id\":\"2\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"bytes_in\"}},{\"id\":\"3\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", 450 | "description": "", 451 | "title": "PgSQL throughput", 452 | "version": 1, 453 | "savedSearchId": "PgSQL-transactions", 454 | "kibanaSavedObjectMeta": { 455 | "searchSourceJSON": "{\"filter\":[]}" 456 | } 457 | } 458 | }, 459 | { 460 | "_id": "Process-status", 461 | "_type": "visualization", 462 | "_source": { 463 | "visState": "{\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"proc.state\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 464 | "description": "", 465 | "title": "Process status", 466 | "version": 1, 467 | "savedSearchId": "Proc-stats", 468 | "kibanaSavedObjectMeta": { 469 | "searchSourceJSON": "{\"filter\":[]}" 470 | } 471 | } 472 | }, 473 | { 474 | "_id": "Reads-versus-Writes", 475 | "_type": "visualization", 476 | "_source": { 477 | "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"mode\":\"grouped\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"method: SELECT\",\"analyze_wildcard\":true}}}},{\"input\":{\"query\":{\"query_string\":{\"query\":\"method: INSERT or method: UPDATE or method: DELETE\",\"analyze_wildcard\":true}}}}]}}],\"listeners\":{}}", 478 | "description": "", 479 | "title": "Reads versus Writes", 480 | "version": 1, 481 | "savedSearchId": "MySQL-Transactions", 482 | "kibanaSavedObjectMeta": { 483 | "searchSourceJSON": "{\"filter\":[]}" 484 | } 485 | } 486 | }, 487 | { 488 | "_id": "Response-times-percentiles", 489 | "_type": "visualization", 490 | "_source": { 491 | "visState": "{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"percentiles\",\"schema\":\"metric\",\"params\":{\"field\":\"responsetime\",\"percents\":[75,95,99]}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", 492 | "kibanaSavedObjectMeta": { 493 | "searchSourceJSON": "{\"filter\":[],\"index\":\"[packetbeat-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}" 494 | }, 495 | "version": 1, 496 | "description": "", 497 | "title": "Response times percentiles" 498 | } 499 | }, 500 | { 501 | "_id": "Response-times-repartition", 502 | "_type": "visualization", 503 | "_source": { 504 | "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"histogram\",\"schema\":\"group\",\"params\":{\"field\":\"responsetime\",\"interval\":10,\"extended_bounds\":{}}}],\"listeners\":{}}", 505 | "description": "", 506 | "title": "Response times repartition", 507 | "version": 1, 508 | "savedSearchId": "Default-Search", 509 | "kibanaSavedObjectMeta": { 510 | "searchSourceJSON": "{\"filter\":[]}" 511 | } 512 | } 513 | }, 514 | { 515 | "_id": "RPC-transactions", 516 | "_type": "visualization", 517 | "_source": { 518 | "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":false,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", 519 | "description": "", 520 | "title": "RPC transactions", 521 | "version": 1, 522 | "savedSearchId": "RPC-transactions", 523 | "kibanaSavedObjectMeta": { 524 | "searchSourceJSON": "{\"filter\":[]}" 525 | } 526 | } 527 | }, 528 | { 529 | "_id": "Servers", 530 | "_type": "visualization", 531 | "_source": { 532 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"cpu.user_p\"}},{\"id\":\"3\",\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"cpu.system_p\"}},{\"id\":\"4\",\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"mem.total\"}},{\"id\":\"5\",\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"mem.used\"}},{\"id\":\"8\",\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"mem.used_p\"}},{\"id\":\"6\",\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"mem.free\"}},{\"id\":\"9\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"beat.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 533 | "description": "", 534 | "title": "Servers", 535 | "version": 1, 536 | "savedSearchId": "System-stats", 537 | "kibanaSavedObjectMeta": { 538 | "searchSourceJSON": "{\"filter\":[]}" 539 | } 540 | } 541 | }, 542 | { 543 | "_id": "Slowest-MySQL-queries", 544 | "_type": "visualization", 545 | "_source": { 546 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"responsetime\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 547 | "description": "", 548 | "title": "Slowest MySQL queries", 549 | "version": 1, 550 | "savedSearchId": "MySQL-Transactions", 551 | "kibanaSavedObjectMeta": { 552 | "searchSourceJSON": "{\"filter\":[]}" 553 | } 554 | } 555 | }, 556 | { 557 | "_id": "Slowest-PgSQL-queries", 558 | "_type": "visualization", 559 | "_source": { 560 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"responsetime\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 561 | "description": "", 562 | "title": "Slowest PgSQL queries", 563 | "version": 1, 564 | "savedSearchId": "PgSQL-transactions", 565 | "kibanaSavedObjectMeta": { 566 | "searchSourceJSON": "{\"filter\":[]}" 567 | } 568 | } 569 | }, 570 | { 571 | "_id": "Slowest-Thrift-RPC-methods", 572 | "_type": "visualization", 573 | "_source": { 574 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"responsetime\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"method\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 575 | "description": "", 576 | "title": "Slowest Thrift RPC methods", 577 | "version": 1, 578 | "savedSearchId": "Thrift-transactions", 579 | "kibanaSavedObjectMeta": { 580 | "searchSourceJSON": "{\"filter\":[]}" 581 | } 582 | } 583 | }, 584 | { 585 | "_id": "System-load", 586 | "_type": "visualization", 587 | "_source": { 588 | "visState": "{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"load.load1\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"beat.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 589 | "description": "", 590 | "title": "System load", 591 | "version": 1, 592 | "savedSearchId": "System-stats", 593 | "kibanaSavedObjectMeta": { 594 | "searchSourceJSON": "{\"filter\":[]}" 595 | } 596 | } 597 | }, 598 | { 599 | "_id": "Thrift-requests-per-minute", 600 | "_type": "visualization", 601 | "_source": { 602 | "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":false,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"minute\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", 603 | "description": "", 604 | "title": "Thrift requests per minute", 605 | "version": 1, 606 | "savedSearchId": "Thrift-transactions", 607 | "kibanaSavedObjectMeta": { 608 | "searchSourceJSON": "{\"filter\":[]}" 609 | } 610 | } 611 | }, 612 | { 613 | "_id": "Thrift-response-times-percentiles", 614 | "_type": "visualization", 615 | "_source": { 616 | "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{\"field\":\"responsetime\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"defaultYExtents\":false,\"shareYAxis\":true},\"type\":\"line\"}", 617 | "description": "", 618 | "title": "Thrift response times percentiles", 619 | "version": 1, 620 | "savedSearchId": "Thrift-transactions", 621 | "kibanaSavedObjectMeta": { 622 | "searchSourceJSON": "{\"filter\":[]}" 623 | } 624 | } 625 | }, 626 | { 627 | "_id": "Thrift-RPC-Errors", 628 | "_type": "visualization", 629 | "_source": { 630 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":false,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", 631 | "description": "", 632 | "title": "Thrift RPC Errors", 633 | "version": 1, 634 | "savedSearchId": "Thrift-errors", 635 | "kibanaSavedObjectMeta": { 636 | "searchSourceJSON": "{\"filter\":[]}" 637 | } 638 | } 639 | }, 640 | { 641 | "_id": "Top-10-memory-consumers", 642 | "_type": "visualization", 643 | "_source": { 644 | "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"proc.mem.rss_p\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"proc.name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 645 | "description": "", 646 | "title": "Top 10 memory consumers", 647 | "version": 1, 648 | "savedSearchId": "Processes", 649 | "kibanaSavedObjectMeta": { 650 | "searchSourceJSON": "{\"filter\":[]}" 651 | } 652 | } 653 | }, 654 | { 655 | "_id": "Top-10-processes-by-total-CPU-usage", 656 | "_type": "visualization", 657 | "_source": { 658 | "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{\"field\":\"proc.cpu.total\"},\"schema\":\"metric\",\"type\":\"max\"},{\"id\":\"2\",\"params\":{\"field\":\"proc.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"type\":\"histogram\"}", 659 | "description": "", 660 | "title": "Top 10 processes by total CPU usage", 661 | "version": 1, 662 | "savedSearchId": "Processes", 663 | "kibanaSavedObjectMeta": { 664 | "searchSourceJSON": "{\"filter\":[]}" 665 | } 666 | } 667 | }, 668 | { 669 | "_id": "Top-processes", 670 | "_type": "visualization", 671 | "_source": { 672 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"proc.cpu.user_p\"}},{\"id\":\"2\",\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"proc.mem.rss\"}},{\"id\":\"3\",\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"proc.mem.rss_p\"}},{\"id\":\"5\",\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"proc.mem.share\"}},{\"id\":\"6\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"proc.name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 673 | "description": "", 674 | "title": "Top processes", 675 | "version": 1, 676 | "savedSearchId": "Proc-stats", 677 | "kibanaSavedObjectMeta": { 678 | "searchSourceJSON": "{\"filter\":[]}" 679 | } 680 | } 681 | }, 682 | { 683 | "_id": "Top-slowest-MongoDB-queries", 684 | "_type": "visualization", 685 | "_source": { 686 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"percentiles\",\"schema\":\"metric\",\"params\":{\"field\":\"responsetime\",\"percents\":[99]}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1.99\"}}],\"listeners\":{}}", 687 | "description": "", 688 | "title": "Top slowest MongoDB queries", 689 | "version": 1, 690 | "savedSearchId": "MongoDB-transactions", 691 | "kibanaSavedObjectMeta": { 692 | "searchSourceJSON": "{\"filter\":[]}" 693 | } 694 | } 695 | }, 696 | { 697 | "_id": "Top-Thrift-RPC-calls-with-errors", 698 | "_type": "visualization", 699 | "_source": { 700 | "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":false,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"method\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 701 | "description": "", 702 | "title": "Top Thrift-RPC calls with errors", 703 | "version": 1, 704 | "savedSearchId": "Thrift-errors", 705 | "kibanaSavedObjectMeta": { 706 | "searchSourceJSON": "{\"filter\":[]}" 707 | } 708 | } 709 | }, 710 | { 711 | "_id": "Top-Thrift-RPC-methods", 712 | "_type": "visualization", 713 | "_source": { 714 | "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":false,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"method\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 715 | "description": "", 716 | "title": "Top Thrift-RPC methods", 717 | "version": 1, 718 | "savedSearchId": "Thrift-transactions", 719 | "kibanaSavedObjectMeta": { 720 | "searchSourceJSON": "{\"filter\":[]}" 721 | } 722 | } 723 | }, 724 | { 725 | "_id": "Total-number-of-HTTP-transactions", 726 | "_type": "visualization", 727 | "_source": { 728 | "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{\"field\":\"count\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"listeners\":{},\"params\":{\"fontSize\":\"37\"},\"type\":\"metric\"}", 729 | "description": "", 730 | "title": "Total number of HTTP transactions", 731 | "version": 1, 732 | "savedSearchId": "Web-transactions", 733 | "kibanaSavedObjectMeta": { 734 | "searchSourceJSON": "{\"filter\":[]}" 735 | } 736 | } 737 | }, 738 | { 739 | "_id": "Total-time-spent-in-each-MongoDB-collection", 740 | "_type": "visualization", 741 | "_source": { 742 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":false,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"responsetime\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"resource\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 743 | "description": "", 744 | "title": "Total time spent in each MongoDB collection", 745 | "version": 1, 746 | "savedSearchId": "MongoDB-transactions", 747 | "kibanaSavedObjectMeta": { 748 | "searchSourceJSON": "{\"filter\":[]}" 749 | } 750 | } 751 | }, 752 | { 753 | "_id": "Web-transactions", 754 | "_type": "visualization", 755 | "_source": { 756 | "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":false,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", 757 | "description": "", 758 | "title": "Web transactions", 759 | "version": 1, 760 | "savedSearchId": "Web-transactions", 761 | "kibanaSavedObjectMeta": { 762 | "searchSourceJSON": "{\"filter\":[]}" 763 | } 764 | } 765 | }, 766 | { 767 | "_id": "Average-system-load-across-all-systems", 768 | "_type": "visualization", 769 | "_source": { 770 | "visState": "{\"type\":\"metric\",\"params\":{\"fontSize\":60},\"aggs\":[{\"id\":\"1\",\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"load.load1\"}}],\"listeners\":{}}", 771 | "description": "", 772 | "title": "Average system load across all systems", 773 | "version": 1, 774 | "savedSearchId": "System-wide", 775 | "kibanaSavedObjectMeta": { 776 | "searchSourceJSON": "{\"filter\":[]}" 777 | } 778 | } 779 | }, 780 | { 781 | "_id": "Cache-transactions", 782 | "_type": "visualization", 783 | "_source": { 784 | "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":false,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", 785 | "description": "", 786 | "title": "Cache transactions", 787 | "version": 1, 788 | "savedSearchId": "Cache-transactions", 789 | "kibanaSavedObjectMeta": { 790 | "searchSourceJSON": "{\"filter\":[]}" 791 | } 792 | } 793 | }, 794 | { 795 | "_id": "Client-locations", 796 | "_type": "visualization", 797 | "_source": { 798 | "visState": "{\"type\":\"tile_map\",\"params\":{\"isDesaturated\":true,\"mapType\":\"Shaded Circle Markers\"},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"client_location\",\"precision\":3}}],\"listeners\":{}}", 799 | "description": "", 800 | "title": "Client locations", 801 | "version": 1, 802 | "savedSearchId": "Web-transactions", 803 | "kibanaSavedObjectMeta": { 804 | "searchSourceJSON": "{\"filter\":[]}" 805 | } 806 | } 807 | }, 808 | { 809 | "_id": "CPU-usage", 810 | "_type": "visualization", 811 | "_source": { 812 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":false,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"cpu.system_p\"}},{\"id\":\"2\",\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"cpu.user_p\"}},{\"id\":\"3\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", 813 | "description": "", 814 | "title": "CPU usage", 815 | "version": 1, 816 | "savedSearchId": "System-stats", 817 | "kibanaSavedObjectMeta": { 818 | "searchSourceJSON": "{\"filter\":[]}" 819 | } 820 | } 821 | }, 822 | { 823 | "_id": "Top-10-HTTP-requests", 824 | "_type": "visualization", 825 | "_source": { 826 | "title": "Top 10 HTTP requests", 827 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"count\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client_ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.code\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"5\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"method\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"6\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"beat.name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 828 | "uiStateJSON": "{}", 829 | "description": "", 830 | "savedSearchId": "Web-transactions", 831 | "version": 1, 832 | "kibanaSavedObjectMeta": { 833 | "searchSourceJSON": "{\"filter\":[]}" 834 | } 835 | } 836 | }, 837 | { 838 | "_id": "Visualization:-User-and-Group-Events", 839 | "_type": "visualization", 840 | "_source": { 841 | "title": "Visualization: User and Group Events", 842 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"5\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"timestamp\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"pam_username\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"tags\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"beat.hostname\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"_term\"}},{\"id\":\"6\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.country_name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 843 | "uiStateJSON": "{}", 844 | "description": "", 845 | "savedSearchId": "Linux:-User-and-Group-Events", 846 | "version": 1, 847 | "kibanaSavedObjectMeta": { 848 | "searchSourceJSON": "{\"filter\":[]}" 849 | } 850 | } 851 | }, 852 | { 853 | "_id": "Visualization:-Linux-(Password-Change)", 854 | "_type": "visualization", 855 | "_source": { 856 | "title": "Visualization: Linux (Password Change)", 857 | "visState": "{\"type\":\"metric\",\"params\":{\"fontSize\":60},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", 858 | "uiStateJSON": "{}", 859 | "description": "", 860 | "version": 1, 861 | "kibanaSavedObjectMeta": { 862 | "searchSourceJSON": "{\"index\":\"[filebeat-]YYYY.MM.DD\",\"query\":{\"query_string\":{\"query\":\"tags:\\\"linux_password_changed\\\"\",\"analyze_wildcard\":true}},\"filter\":[]}" 863 | } 864 | } 865 | }, 866 | { 867 | "_id": "Visualization:-Linux-(Group-Deleted)", 868 | "_type": "visualization", 869 | "_source": { 870 | "title": "Visualization: Linux (Group Deleted)", 871 | "visState": "{\"type\":\"metric\",\"params\":{\"fontSize\":60},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", 872 | "uiStateJSON": "{}", 873 | "description": "", 874 | "version": 1, 875 | "kibanaSavedObjectMeta": { 876 | "searchSourceJSON": "{\"index\":\"[filebeat-]YYYY.MM.DD\",\"query\":{\"query_string\":{\"query\":\"tags:\\\"linux_password_changed\\\"\",\"analyze_wildcard\":true}},\"filter\":[]}" 877 | } 878 | } 879 | }, 880 | { 881 | "_id": "Visualization:-Linux-(User-Deleted)", 882 | "_type": "visualization", 883 | "_source": { 884 | "title": "Visualization: Linux (User Deleted)", 885 | "visState": "{\"type\":\"metric\",\"params\":{\"fontSize\":60},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", 886 | "uiStateJSON": "{}", 887 | "description": "", 888 | "version": 1, 889 | "kibanaSavedObjectMeta": { 890 | "searchSourceJSON": "{\"index\":\"[filebeat-]YYYY.MM.DD\",\"query\":{\"query_string\":{\"query\":\"tags:\\\"linux_password_changed\\\"\",\"analyze_wildcard\":true}},\"filter\":[]}" 891 | } 892 | } 893 | }, 894 | { 895 | "_id": "Visualization:-Linux-(New-Group)", 896 | "_type": "visualization", 897 | "_source": { 898 | "title": "Visualization: Linux (New Group)", 899 | "visState": "{\"type\":\"metric\",\"params\":{\"fontSize\":60},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", 900 | "uiStateJSON": "{}", 901 | "description": "", 902 | "version": 1, 903 | "kibanaSavedObjectMeta": { 904 | "searchSourceJSON": "{\"index\":\"[filebeat-]YYYY.MM.DD\",\"query\":{\"query_string\":{\"query\":\"tags:\\\"linux_new_user\\\"\",\"analyze_wildcard\":true}},\"filter\":[]}" 905 | } 906 | } 907 | }, 908 | { 909 | "_id": "Visualization:-Linux-(New-User)", 910 | "_type": "visualization", 911 | "_source": { 912 | "title": "Visualization: Linux (New User)", 913 | "visState": "{\"type\":\"metric\",\"params\":{\"fontSize\":60},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", 914 | "uiStateJSON": "{}", 915 | "description": "", 916 | "version": 1, 917 | "kibanaSavedObjectMeta": { 918 | "searchSourceJSON": "{\"index\":\"[filebeat-]YYYY.MM.DD\",\"query\":{\"query_string\":{\"query\":\"tags:\\\"linux_new_user\\\"\",\"analyze_wildcard\":true}},\"filter\":[]}" 919 | } 920 | } 921 | }, 922 | { 923 | "_id": "Linux-(Group-Deleted)", 924 | "_type": "visualization", 925 | "_source": { 926 | "title": "Linux (Group Deleted)", 927 | "visState": "{\"type\":\"metric\",\"params\":{\"fontSize\":60},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", 928 | "uiStateJSON": "{}", 929 | "description": "", 930 | "version": 1, 931 | "kibanaSavedObjectMeta": { 932 | "searchSourceJSON": "{\"index\":\"[filebeat-]YYYY.MM.DD\",\"query\":{\"query_string\":{\"query\":\"tags:\\\"linux_removed_group\\\"\",\"analyze_wildcard\":true}},\"filter\":[]}" 933 | } 934 | } 935 | }, 936 | { 937 | "_id": "Linux-(User-Deleted)", 938 | "_type": "visualization", 939 | "_source": { 940 | "title": "Linux (User Deleted)", 941 | "visState": "{\"type\":\"metric\",\"params\":{\"fontSize\":60},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", 942 | "uiStateJSON": "{}", 943 | "description": "", 944 | "version": 1, 945 | "kibanaSavedObjectMeta": { 946 | "searchSourceJSON": "{\"index\":\"[filebeat-]YYYY.MM.DD\",\"query\":{\"query_string\":{\"query\":\"tags:\\\"linux_delete_user\\\"\",\"analyze_wildcard\":true}},\"filter\":[]}" 947 | } 948 | } 949 | }, 950 | { 951 | "_id": "Visualization:-Bar-Chart-(Linux:-User-and-Group-Events)", 952 | "_type": "visualization", 953 | "_source": { 954 | "title": "Visualization: Bar Chart (Linux: User and Group Events)", 955 | "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tags\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 956 | "uiStateJSON": "{}", 957 | "description": "", 958 | "savedSearchId": "Linux:-User-and-Group-Events", 959 | "version": 1, 960 | "kibanaSavedObjectMeta": { 961 | "searchSourceJSON": "{\"filter\":[]}" 962 | } 963 | } 964 | }, 965 | { 966 | "_id": "UCLA-Netflow:-Destination-IP-Count-(Bar-Chart)", 967 | "_type": "visualization", 968 | "_source": { 969 | "title": "UCLA Netflow: Destination IP Count (Bar Chart)", 970 | "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"netflow.ipv4_dst_addr\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 971 | "uiStateJSON": "{}", 972 | "description": "", 973 | "savedSearchId": "UCLA-Netflow", 974 | "version": 1, 975 | "kibanaSavedObjectMeta": { 976 | "searchSourceJSON": "{\"filter\":[]}" 977 | } 978 | } 979 | }, 980 | { 981 | "_id": "UCLA-Netflow:-Source-IP-Count-(Bar-Chart)", 982 | "_type": "visualization", 983 | "_source": { 984 | "title": "UCLA Netflow: Source IP Count (Bar Chart)", 985 | "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"netflow.ipv4_src_addr\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 986 | "uiStateJSON": "{}", 987 | "description": "", 988 | "savedSearchId": "UCLA-Netflow", 989 | "version": 1, 990 | "kibanaSavedObjectMeta": { 991 | "searchSourceJSON": "{\"filter\":[]}" 992 | } 993 | } 994 | }, 995 | { 996 | "_id": "UCLA-Netflow:-Outbound-Traffic-Size-On-Destination-IP", 997 | "_type": "visualization", 998 | "_source": { 999 | "title": "UCLA Netflow: Outbound Traffic Size On Destination IP", 1000 | "visState": "{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":\"45\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"netflow.in_bytes\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"netflow.ipv4_dst_addr\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 1001 | "uiStateJSON": "{}", 1002 | "description": "", 1003 | "savedSearchId": "UCLA-Netflow", 1004 | "version": 1, 1005 | "kibanaSavedObjectMeta": { 1006 | "searchSourceJSON": "{\"filter\":[]}" 1007 | } 1008 | } 1009 | } 1010 | ] --------------------------------------------------------------------------------