diff --git a/filebeat/fileset/modules_test.go b/filebeat/fileset/modules_test.go index db9169e5bc7..0b671a597c3 100644 --- a/filebeat/fileset/modules_test.go +++ b/filebeat/fileset/modules_test.go @@ -37,7 +37,7 @@ func TestNewModuleRegistry(t *testing.T) { expectedModules := map[string][]string{ "nginx": {"access", "error"}, "mysql": {"slowlog", "error"}, - "system": {"syslog"}, + "system": {"syslog", "auth"}, } assert.Equal(t, len(expectedModules), len(reg.registry)) diff --git a/filebeat/module/system/_meta/kibana/dashboard/0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json b/filebeat/module/system/_meta/kibana/dashboard/0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json new file mode 100644 index 00000000000..1c8a61fb1ee --- /dev/null +++ b/filebeat/module/system/_meta/kibana/dashboard/0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json @@ -0,0 +1,13 @@ +{ + "hits": 0, + "timeRestore": false, + "description": "", + "title": "Filebeat New users and groups", + "uiStateJSON": "{\"P-1\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-5\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", + "panelsJSON": "[{\"col\":1,\"id\":\"f398d2f0-fa77-11e6-ae9b-81e5311e8cab\",\"panelIndex\":1,\"row\":1,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"5dd15c00-fa78-11e6-ae9b-81e5311e8cab\",\"panelIndex\":2,\"row\":1,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"e121b140-fa78-11e6-a1df-a78bd7504d38\",\"panelIndex\":3,\"row\":4,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"d56ee420-fa79-11e6-a1df-a78bd7504d38\",\"panelIndex\":4,\"row\":4,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"12667040-fa80-11e6-a1df-a78bd7504d38\",\"panelIndex\":5,\"row\":7,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"size_x\":6,\"size_y\":3,\"panelIndex\":6,\"type\":\"visualization\",\"id\":\"346bb290-fa80-11e6-a1df-a78bd7504d38\",\"col\":7,\"row\":7}]", + "optionsJSON": "{\"darkTheme\":false}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" + } +} \ No newline at end of file diff --git a/filebeat/module/system/_meta/kibana/dashboard/277876d0-fa2c-11e6-bbd3-29c986c96e5a.json b/filebeat/module/system/_meta/kibana/dashboard/277876d0-fa2c-11e6-bbd3-29c986c96e5a.json new file mode 100644 index 00000000000..eba0e698b5e --- /dev/null +++ b/filebeat/module/system/_meta/kibana/dashboard/277876d0-fa2c-11e6-bbd3-29c986c96e5a.json @@ -0,0 +1,13 @@ +{ + "hits": 0, + "timeRestore": false, + "description": "", + "title": "Filebeat Auth - Sudo commands", + "uiStateJSON": "{\"P-3\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", + "panelsJSON": "[{\"col\":1,\"id\":\"5c7af030-fa2a-11e6-bbd3-29c986c96e5a\",\"panelIndex\":1,\"row\":5,\"size_x\":12,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"51164310-fa2b-11e6-bbd3-29c986c96e5a\",\"panelIndex\":2,\"row\":9,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"dc589770-fa2b-11e6-bbd3-29c986c96e5a\",\"panelIndex\":3,\"row\":1,\"size_x\":12,\"size_y\":4,\"type\":\"visualization\"}]", + "optionsJSON": "{\"darkTheme\":false}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" + } +} \ No newline at end of file diff --git a/filebeat/module/system/_meta/kibana/dashboard/5517a150-f9ce-11e6-8115-a7c18106d86a.json b/filebeat/module/system/_meta/kibana/dashboard/5517a150-f9ce-11e6-8115-a7c18106d86a.json new file mode 100644 index 00000000000..0b0fcb674e2 --- /dev/null +++ b/filebeat/module/system/_meta/kibana/dashboard/5517a150-f9ce-11e6-8115-a7c18106d86a.json @@ -0,0 +1,13 @@ +{ + "hits": 0, + "timeRestore": false, + "description": "", + "title": "Filebeat SSH login attempts", + "uiStateJSON": "{\"P-4\":{\"mapCenter\":[39.774769485295465,23.203125],\"mapZoom\":3}}", + "panelsJSON": "[{\"col\":1,\"id\":\"d16bb400-f9cc-11e6-8115-a7c18106d86a\",\"panelIndex\":1,\"row\":4,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"78b74f30-f9cd-11e6-8115-a7c18106d86a\",\"panelIndex\":2,\"row\":1,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"341ffe70-f9ce-11e6-8115-a7c18106d86a\",\"panelIndex\":3,\"row\":7,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":7,\"id\":\"3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d\",\"panelIndex\":4,\"row\":7,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"size_x\":12,\"size_y\":3,\"panelIndex\":5,\"type\":\"search\",\"id\":\"62439dc0-f9c9-11e6-a747-6121780e0414\",\"col\":1,\"row\":11,\"columns\":[\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.user\",\"system.auth.ssh.ip\",\"system.auth.ssh.geoip.country_iso_code\"],\"sort\":[\"@timestamp\",\"desc\"]}]", + "optionsJSON": "{\"darkTheme\":false}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" + } +} \ No newline at end of file diff --git a/filebeat/module/system/_meta/kibana/search/62439dc0-f9c9-11e6-a747-6121780e0414.json b/filebeat/module/system/_meta/kibana/search/62439dc0-f9c9-11e6-a747-6121780e0414.json new file mode 100644 index 00000000000..8f1b5915a25 --- /dev/null +++ b/filebeat/module/system/_meta/kibana/search/62439dc0-f9c9-11e6-a747-6121780e0414.json @@ -0,0 +1,20 @@ +{ + "sort": [ + "@timestamp", + "desc" + ], + "hits": 0, + "description": "", + "title": "SSH login attempts", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"filebeat-*\",\"highlightAll\":true,\"query\":{\"query_string\":{\"query\":\"_exists_:system.auth.ssh.event\",\"analyze_wildcard\":true}},\"filter\":[]}" + }, + "columns": [ + "system.auth.ssh.event", + "system.auth.ssh.method", + "system.auth.user", + "system.auth.ssh.ip", + "system.auth.ssh.geoip.country_iso_code" + ] +} \ No newline at end of file diff --git a/filebeat/module/system/_meta/kibana/search/8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json b/filebeat/module/system/_meta/kibana/search/8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json new file mode 100644 index 00000000000..1f9a94927ff --- /dev/null +++ b/filebeat/module/system/_meta/kibana/search/8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json @@ -0,0 +1,20 @@ +{ + "sort": [ + "@timestamp", + "desc" + ], + "hits": 0, + "description": "", + "title": "useradd logs", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"filebeat-*\",\"highlightAll\":true,\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"_exists_:system.auth.useradd\"}},\"filter\":[]}" + }, + "columns": [ + "system.auth.useradd.name", + "system.auth.useradd.uid", + "system.auth.useradd.gid", + "system.auth.useradd.home", + "system.auth.useradd.shell" + ] +} \ No newline at end of file diff --git a/filebeat/module/system/_meta/kibana/search/b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json b/filebeat/module/system/_meta/kibana/search/b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json new file mode 100644 index 00000000000..2f788c438be --- /dev/null +++ b/filebeat/module/system/_meta/kibana/search/b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json @@ -0,0 +1,19 @@ +{ + "sort": [ + "@timestamp", + "desc" + ], + "hits": 0, + "description": "", + "title": "Sudo commands", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"filebeat-*\",\"highlightAll\":true,\"query\":{\"query_string\":{\"query\":\"_exists_:system.auth.sudo\",\"analyze_wildcard\":true}},\"filter\":[]}" + }, + "columns": [ + "system.auth.user", + "system.auth.sudo.user", + "system.auth.sudo.pwd", + "system.auth.sudo.command" + ] +} \ No newline at end of file diff --git a/filebeat/module/system/_meta/kibana/search/eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json b/filebeat/module/system/_meta/kibana/search/eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json new file mode 100644 index 00000000000..84c212cebc9 --- /dev/null +++ b/filebeat/module/system/_meta/kibana/search/eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json @@ -0,0 +1,17 @@ +{ + "sort": [ + "@timestamp", + "desc" + ], + "hits": 0, + "description": "", + "title": "groupadd logs", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"filebeat-*\",\"highlightAll\":true,\"query\":{\"query_string\":{\"query\":\"_exists_:system.auth.groupadd\",\"analyze_wildcard\":true}},\"filter\":[]}" + }, + "columns": [ + "system.auth.groupadd.name", + "system.auth.groupadd.gid" + ] +} \ No newline at end of file diff --git a/filebeat/module/system/_meta/kibana/visualization/12667040-fa80-11e6-a1df-a78bd7504d38.json b/filebeat/module/system/_meta/kibana/visualization/12667040-fa80-11e6-a1df-a78bd7504d38.json new file mode 100644 index 00000000000..f4d5de26534 --- /dev/null +++ b/filebeat/module/system/_meta/kibana/visualization/12667040-fa80-11e6-a1df-a78bd7504d38.json @@ -0,0 +1,11 @@ +{ + "visState": "{\"title\":\"New groups\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"system.auth.groupadd.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"system.auth.groupadd.gid\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", + "description": "", + "title": "New groups", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "savedSearchId": "eb0039f0-fa7f-11e6-a1df-a78bd7504d38", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + } +} \ No newline at end of file diff --git a/filebeat/module/system/_meta/kibana/visualization/341ffe70-f9ce-11e6-8115-a7c18106d86a.json b/filebeat/module/system/_meta/kibana/visualization/341ffe70-f9ce-11e6-8115-a7c18106d86a.json new file mode 100644 index 00000000000..63cb8aabd3b --- /dev/null +++ b/filebeat/module/system/_meta/kibana/visualization/341ffe70-f9ce-11e6-8115-a7c18106d86a.json @@ -0,0 +1,10 @@ +{ + "visState": "{\"title\":\"SSH users of failed login attempts\",\"type\":\"tagcloud\",\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"system.auth.user\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", + "description": "", + "title": "SSH users of failed login attempts", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"index\":\"filebeat-*\",\"highlightAll\":true,\"query\":{\"query_string\":{\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\",\"analyze_wildcard\":true}}}" + } +} \ No newline at end of file diff --git a/filebeat/module/system/_meta/kibana/visualization/346bb290-fa80-11e6-a1df-a78bd7504d38.json b/filebeat/module/system/_meta/kibana/visualization/346bb290-fa80-11e6-a1df-a78bd7504d38.json new file mode 100644 index 00000000000..f91a6a09580 --- /dev/null +++ b/filebeat/module/system/_meta/kibana/visualization/346bb290-fa80-11e6-a1df-a78bd7504d38.json @@ -0,0 +1,11 @@ +{ + "visState": "{\"title\":\"New groups over time\",\"type\":\"histogram\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"system.auth.groupadd.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", + "description": "", + "title": "New groups over time", + "uiStateJSON": "{}", + "version": 1, + "savedSearchId": "eb0039f0-fa7f-11e6-a1df-a78bd7504d38", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + } +} \ No newline at end of file diff --git a/filebeat/module/system/_meta/kibana/visualization/3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json b/filebeat/module/system/_meta/kibana/visualization/3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json new file mode 100644 index 00000000000..abfe842e249 --- /dev/null +++ b/filebeat/module/system/_meta/kibana/visualization/3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json @@ -0,0 +1,10 @@ +{ + "visState": "{\"title\":\"SSH failed login attempts source locations\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Shaded Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[15,5],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"system.auth.ssh.geoip.location\",\"autoPrecision\":true,\"precision\":2}}],\"listeners\":{}}", + "description": "", + "title": "SSH failed login attempts source locations", + "uiStateJSON": "{\"mapZoom\":2,\"mapCenter\":[17.602139123350838,69.697265625]}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"index\":\"filebeat-*\",\"highlightAll\":true,\"query\":{\"query_string\":{\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\",\"analyze_wildcard\":true}}}" + } +} \ No newline at end of file diff --git a/filebeat/module/system/_meta/kibana/visualization/51164310-fa2b-11e6-bbd3-29c986c96e5a.json b/filebeat/module/system/_meta/kibana/visualization/51164310-fa2b-11e6-bbd3-29c986c96e5a.json new file mode 100644 index 00000000000..20668b48703 --- /dev/null +++ b/filebeat/module/system/_meta/kibana/visualization/51164310-fa2b-11e6-bbd3-29c986c96e5a.json @@ -0,0 +1,10 @@ +{ + "visState": "{\"title\":\"Sudo errors\",\"type\":\"histogram\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"system.auth.sudo.error\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", + "description": "", + "title": "Sudo errors", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"index\":\"filebeat-*\",\"highlightAll\":true,\"query\":{\"query_string\":{\"query\":\"_exists_:system.auth.sudo.error\",\"analyze_wildcard\":true}}}" + } +} \ No newline at end of file diff --git a/filebeat/module/system/_meta/kibana/visualization/5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json b/filebeat/module/system/_meta/kibana/visualization/5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json new file mode 100644 index 00000000000..eddbc197989 --- /dev/null +++ b/filebeat/module/system/_meta/kibana/visualization/5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json @@ -0,0 +1,11 @@ +{ + "visState": "{\"title\":\"Sudo commands by user\",\"type\":\"histogram\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"system.auth.user\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", + "description": "", + "title": "Sudo commands by user", + "uiStateJSON": "{}", + "version": 1, + "savedSearchId": "b6f321e0-fa25-11e6-bbd3-29c986c96e5a", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + } +} \ No newline at end of file diff --git a/filebeat/module/system/_meta/kibana/visualization/5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json b/filebeat/module/system/_meta/kibana/visualization/5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json new file mode 100644 index 00000000000..d11a2798f17 --- /dev/null +++ b/filebeat/module/system/_meta/kibana/visualization/5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json @@ -0,0 +1,11 @@ +{ + "visState": "{\"title\":\"New users over time\",\"type\":\"histogram\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"system.auth.useradd.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", + "description": "", + "title": "New users over time", + "uiStateJSON": "{}", + "version": 1, + "savedSearchId": "8030c1b0-fa77-11e6-ae9b-81e5311e8cab", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + } +} \ No newline at end of file diff --git a/filebeat/module/system/_meta/kibana/visualization/78b74f30-f9cd-11e6-8115-a7c18106d86a.json b/filebeat/module/system/_meta/kibana/visualization/78b74f30-f9cd-11e6-8115-a7c18106d86a.json new file mode 100644 index 00000000000..5de09335d2e --- /dev/null +++ b/filebeat/module/system/_meta/kibana/visualization/78b74f30-f9cd-11e6-8115-a7c18106d86a.json @@ -0,0 +1,10 @@ +{ + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customInterval\":\"2h\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.ssh.event\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"SSH login attempts\",\"type\":\"histogram\"}", + "description": "", + "title": "SSH login attempts", + "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\"}}}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"index\":\"filebeat-*\",\"highlightAll\":true}" + } +} \ No newline at end of file diff --git a/filebeat/module/system/_meta/kibana/visualization/d16bb400-f9cc-11e6-8115-a7c18106d86a.json b/filebeat/module/system/_meta/kibana/visualization/d16bb400-f9cc-11e6-8115-a7c18106d86a.json new file mode 100644 index 00000000000..78aaeb26859 --- /dev/null +++ b/filebeat/module/system/_meta/kibana/visualization/d16bb400-f9cc-11e6-8115-a7c18106d86a.json @@ -0,0 +1,10 @@ +{ + "visState": "{\"title\":\"Successful SSH logins\",\"type\":\"histogram\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"system.auth.ssh.method\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", + "description": "", + "title": "Successful SSH logins", + "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\",\"publickey\":\"#629E51\",\"password\":\"#BF1B00\"}}}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"index\":\"filebeat-*\",\"highlightAll\":true,\"query\":{\"query_string\":{\"query\":\"system.auth.ssh.event:Accepted\",\"analyze_wildcard\":true}}}" + } +} \ No newline at end of file diff --git a/filebeat/module/system/_meta/kibana/visualization/d56ee420-fa79-11e6-a1df-a78bd7504d38.json b/filebeat/module/system/_meta/kibana/visualization/d56ee420-fa79-11e6-a1df-a78bd7504d38.json new file mode 100644 index 00000000000..ad1478a124a --- /dev/null +++ b/filebeat/module/system/_meta/kibana/visualization/d56ee420-fa79-11e6-a1df-a78bd7504d38.json @@ -0,0 +1,11 @@ +{ + "visState": "{\"title\":\"New users by home directory\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"system.auth.useradd.home\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"system.auth.useradd.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", + "description": "", + "title": "New users by home directory", + "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/sbin/nologin\":\"#7EB26D\",\"/nonexistent\":\"#629E51\"},\"legendOpen\":true}}", + "version": 1, + "savedSearchId": "8030c1b0-fa77-11e6-ae9b-81e5311e8cab", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + } +} \ No newline at end of file diff --git a/filebeat/module/system/_meta/kibana/visualization/dc589770-fa2b-11e6-bbd3-29c986c96e5a.json b/filebeat/module/system/_meta/kibana/visualization/dc589770-fa2b-11e6-bbd3-29c986c96e5a.json new file mode 100644 index 00000000000..79e4e50a295 --- /dev/null +++ b/filebeat/module/system/_meta/kibana/visualization/dc589770-fa2b-11e6-bbd3-29c986c96e5a.json @@ -0,0 +1,11 @@ +{ + "visState": "{\"title\":\"Top sudo commands\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"system.auth.sudo.command\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"system.auth.user\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", + "description": "", + "title": "Top sudo commands", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "savedSearchId": "b6f321e0-fa25-11e6-bbd3-29c986c96e5a", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + } +} \ No newline at end of file diff --git a/filebeat/module/system/_meta/kibana/visualization/e121b140-fa78-11e6-a1df-a78bd7504d38.json b/filebeat/module/system/_meta/kibana/visualization/e121b140-fa78-11e6-a1df-a78bd7504d38.json new file mode 100644 index 00000000000..18dfd0ce04d --- /dev/null +++ b/filebeat/module/system/_meta/kibana/visualization/e121b140-fa78-11e6-a1df-a78bd7504d38.json @@ -0,0 +1,11 @@ +{ + "visState": "{\"title\":\"New users by shell\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"system.auth.useradd.shell\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"system.auth.useradd.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", + "description": "", + "title": "New users by shell", + "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/sbin/nologin\":\"#7EB26D\"},\"legendOpen\":true}}", + "version": 1, + "savedSearchId": "8030c1b0-fa77-11e6-ae9b-81e5311e8cab", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + } +} \ No newline at end of file diff --git a/filebeat/module/system/_meta/kibana/visualization/f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json b/filebeat/module/system/_meta/kibana/visualization/f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json new file mode 100644 index 00000000000..fbd2c6832ba --- /dev/null +++ b/filebeat/module/system/_meta/kibana/visualization/f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json @@ -0,0 +1,11 @@ +{ + "visState": "{\"title\":\"New users\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"system.auth.hostname\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Host\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"system.auth.useradd.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"system.auth.useradd.uid\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"UID\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"system.auth.useradd.gid\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"GID\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"system.auth.useradd.home\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Home\"}},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"system.auth.useradd.shell\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Shell\"}}],\"listeners\":{}}", + "description": "", + "title": "New users", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "savedSearchId": "8030c1b0-fa77-11e6-ae9b-81e5311e8cab", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + } +} \ No newline at end of file