Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Auditbeat] Host Overview dashboard #10160

Closed
wants to merge 7 commits into from

Conversation

cwurm
Copy link
Contributor

@cwurm cwurm commented Jan 18, 2019

Adds a Host Overview dashboard for data from the host dataset:

auditbeat-system-host-overview-dashboard

@cwurm cwurm added review needs_backport PR is waiting to be backported to other branches. Auditbeat SecOps labels Jan 18, 2019
@cwurm cwurm requested review from a team as code owners January 18, 2019 10:34
@elasticmachine
Copy link
Collaborator

Pinging @elastic/secops

Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Love the looks of the dashboard.

Perhaps more useful than avg uptime would be Bottom N uptimes (most recent reboots)?

I've discovered a big worry about canonical fields for strings not being keyword indexed, but this is out of the scope of this new dashboard. Let's look into that next week.

"enabled": true,
"id": "1",
"params": {
"field": "system.audit.host.id.keyword"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmm, the canonical fields are not keyword datatype? Is this a fact across Auditbeat?

In ECS, we're flipping the ES convention around. Virtually all textual fields are keyword, and if full text search is needed, a multi-field named .text should be added. To take this field for example, I would have expected system.audit.host.id == keyword and system.audit.host.id.text == text.

I thought the ECS convention (at least the canonical fields being keyword) was already in place across all beats, but it seems like it's not the case here.

@cwurm Do you know how widely multi-field is used for the keyword indexing, in Auditbeat?

cc @ruflin

Copy link
Contributor Author

@cwurm cwurm Jan 21, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My mistake. For some reason, I did not have the proper template loaded. I've loaded it now and updated the field references. Thanks for catching it.

@cwurm
Copy link
Contributor Author

cwurm commented Jan 21, 2019

Perhaps more useful than avg uptime would be Bottom N uptimes (most recent reboots)?

The Host List table can already be sorted by uptime, I think I like that better than introducing another table that duplicates the information already present. I've added a commit that sets uptime (asc) as the default sort.

Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Happy we caught that template problem :-)

LGTM

@andrewkroh
Copy link
Member

Based on the screenshot I think the dashboard name needs to be swapped around. I think the convention dictates that it should be [Auditbeat System] Host Overview. But otherwise LGTM.

@cwurm
Copy link
Contributor Author

cwurm commented Feb 3, 2019

I've opened #10511 for a System Overview dashboard containing data from all datasets. So closing this for now, unless we decide to go with individual dashboards after all.

@cwurm cwurm closed this Feb 3, 2019
@andrewkroh andrewkroh removed the needs_backport PR is waiting to be backported to other branches. label Aug 29, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants