Reply
Highlighted

Audit log Record changes dashboard

[ Edited ]
GHorne Community Manager
Community Manager
Posts: 254
7508     3

This is a quick and simple dashboard that displays some statistics on Adds/Mods/Deletes to records in the database.

 

You get a view on the number of changes per day, who is making them, and who is trying to access the system

 

Screen Shot 2016-03-08 at 8.36.56 AM.jpeg

Screen Shot 2016-03-08 at 8.37.03 AM.jpeg

Selecting an event should also take you to a stats table that summarises the event (I can't seem to make this appear directly on a dashboard in the right format)

 

Screen Shot 2016-03-08 at 8.35.10 AM.jpeg

 

<form>
<label>Audit CRUD events</label>
<fieldset submitButton="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>0</earliest>
<latest></latest>
</default>
</input>
</fieldset>
<row>
<panel>
<chart>
<title>Adds, Mods, or Deletes</title>
<search>
<query>sourcetype = ib:audit index = ib_audit | sort - _time | rename TIMESTAMP as "Timestamp" , ADMIN as "Admin" , ACTION as "Action" , OBJECT_TYPE as "Object Type" , OBJECT_NAME as "Object Name" , EXEC_STATUS as "Execution Status" , MESSAGE as "Message" , host as "Member" | search ( Action = Created OR Action = Modified OR Action = Deleted )| timechart count by Action limit=10</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
<panel>
<chart>
<title>Top Admins</title>
<search>
<query>sourcetype = ib:audit index = ib_audit | sort - _time | rename TIMESTAMP as "Timestamp" , ADMIN as "Admin" , ACTION as "Action" , OBJECT_TYPE as "Object Type" , OBJECT_NAME as "Object Name" , EXEC_STATUS as "Execution Status" , MESSAGE as "Message" , host as "Member" | search ( Action = Created OR Action = Modified OR Action = Deleted )| top limit=20 Admin</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">bar</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">none</option>
<option name="charting.axisTitleY.text">Changes</option>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
</chart>
</panel>
</row>
<row>
<panel>
<chart>
<title>Denied Logins : Source Address</title>
<search>
<query>sourcetype = ib:audit index = ib_audit | sort - _time | rename TIMESTAMP as "Timestamp" , ADMIN as "Admin" , ACTION as "Action" , OBJECT_TYPE as "Object Type" , OBJECT_NAME as "Object Name" , EXEC_STATUS as "Execution Status" , MESSAGE as "Message" , host as "Member" | search Action=Login_Denied| top limit=20 ip</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">none</option>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
</chart>
</panel>
<panel>
<table>
<title>Denied Logins by username</title>
<search>
<query>sourcetype = ib:audit index = ib_audit | sort - _time | rename TIMESTAMP as "Timestamp" , ADMIN as "Admin" , ACTION as "Action" , OBJECT_TYPE as "Object Type" , OBJECT_NAME as "Object Name" , EXEC_STATUS as "Execution Status" , MESSAGE as "Message" , host as "Member" | search Action=Login_Denied| top limit=20 Admin</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="count">10</option>
</table>
</panel>
</row>
<row>
<panel>
<chart>
<title>Top Changes by Object Type</title>
<search>
<query>sourcetype = ib:audit index = ib_audit | sort - _time | rename TIMESTAMP as "Timestamp" , ADMIN as "Admin" , ACTION as "Action" , OBJECT_TYPE as "Object Type" , OBJECT_NAME as "Object Name" , EXEC_STATUS as "Execution Status" , MESSAGE as "Message" , host as "Member" | search ( Action = Created OR Action = Modified OR Action = Deleted )| timechart count by "Object Type" limit=10</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
</row>
</form>

Re: Audit log Record changes dashboard

Authority
Posts: 21
7509     3

Roger,

 

I was wondering if you might be able to shed some light on an issue I'm having with this dashboard. I just imported it into a Grid running 8.0.7 and none of the panel actually return any data. When I inspect one of the panels, returns the following error:Screen Shot 2017-06-30 at 5.04.24 PM.png

I'm not that well versed in Splunk yet, I was hoping that you might be able to point me in the right direction to troubleshoot this. 

 

Thanks,

 

Mark

Re: Audit log Record changes dashboard

[ Edited ]
Adviser
Posts: 49
7509     3

Hello Mark,

 

I recommend you to check that the audit logs are sent to the reporting. You can configure it in Grid > Grid Manager > Reporting > Edit (pencil icon) > General > Report category >  Audit Log.

 

Capture d’écran 2017-07-05 à 10.23.39.png

 

Regards

 

Nicolas

 

 

Check out our new Tech docs website at http://docs.infobox.com for latest documentation on Infoblox products.
Showing results for 
Search instead for 
Do you mean 

Recommended for You