Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Created a new workbook for Syslog Overview

This commit is contained in:
Samik Roy 2022-06-23 00:28:38 +05:30 коммит произвёл GitHub
Родитель 14cbec97c1
Коммит 98d4070e8e
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
1 изменённых файлов: 617 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

617
Workbooks/syslogoverview.json Normal file
Просмотреть файл

@ -0,0 +1,617 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "# Syslog Overview\r\n\r\nThis workbook is designed to show an overview about the data ingested through Syslog.\r\nThis can span across multiple wokspaces as well.\r\n\r\nPlease use the filters make the needed chioce for \r\n\r\n- Subscriptions\r\n- TimeRange\r\n- Wokspaces\r\n- HostNames\r\n- Facilities\r\n- Severity Level"
},
"name": "text - 1"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "21dea311-7dfc-41fb-99f6-d72f0f0c33c9",
"version": "KqlParameterItem/1.0",
"name": "Subscriptions",
"type": 6,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::1",
"value::all"
],
"includeAll": false
}
},
{
"id": "9b289ad1-7eaa-411d-b2b0-43c69cf5aa14",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
]
},
"value": {
"durationMs": 43200000
}
},
{
"id": "0698db8c-7a3a-4aec-bfb2-eb59942b0375",
"version": "KqlParameterItem/1.0",
"name": "Workspace",
"type": 5,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "where type =~ 'microsoft.operationalinsights/workspaces'",
"crossComponentResources": [
"{Subscriptions}"
],
"typeSettings": {
"additionalResourceOptions": []
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": []
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "50",
"name": "Global"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "1c90369f-1844-4d13-a46d-43a3359be543",
"version": "KqlParameterItem/1.0",
"name": "HostName",
"type": 5,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "Syslog\r\n| distinct HostName",
"crossComponentResources": [
"{Workspace}"
],
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "5daf3466-52d9-4674-b14d-d9cf72444235",
"version": "KqlParameterItem/1.0",
"name": "Facility",
"type": 5,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| distinct Facility",
"crossComponentResources": [
"{Workspace}"
],
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "3e5d94d9-5faf-49df-af2f-f93f7f858fc9",
"version": "KqlParameterItem/1.0",
"name": "SeverityLevel",
"type": 5,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| distinct SeverityLevel",
"crossComponentResources": [
"{Workspace}"
],
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "1b53f2a7-c0e9-48a1-9e9c-213c6581182d",
"version": "KqlParameterItem/1.0",
"name": "Message",
"type": 1,
"isRequired": true,
"query": "Syslog\r\n| distinct Facility\r\n| summarize Selected = countif(Facility in ({Facility:value})), Total = count()\r\n| project Message = strcat(' ', Selected, ' out of ', Total, ' facilities selected')",
"crossComponentResources": [
"{Workspace}"
],
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "50",
"name": "Local"
},
{
"type": 1,
"content": {
"json": "|Hosts|Facility|Severity|\r\n|--|--|--|--|\r\n|{HostName}|{Facility}|{SeverityLevel}|\r\n\r\n#### {Message}"
},
"name": "text - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n| summarize count() by HostName, bin(TimeGenerated,{TimeRange:grain})",
"size": 0,
"title": "Data Ingestion Trend",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"name": "query - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n| summarize arg_max(TimeGenerated,*) by HostName\r\n| extend ['Last Log Seen Ago'] = datetime_diff('second',now(), TimeGenerated)\r\n| order by ['Last Log Seen Ago'] desc \r\n| project HostName, ['Last Log Seen Ago']\r\n| join (Syslog\r\n | where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n | where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n | where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n | make-series SyslogIngestionTrend = count(SeverityLevel) default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by HostName) on HostName",
"size": 0,
"title": "Host Heartbeat & Trend",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Last Log Seen Ago",
"formatter": 8,
"formatOptions": {
"palette": "red"
},
"numberFormat": {
"unit": 24,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "HostName1",
"formatter": 5
},
{
"columnMatch": "SyslogIngestionTrend",
"formatter": 10,
"formatOptions": {
"palette": "green"
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 5
}
],
"filter": true
}
},
"customWidth": "50",
"name": "query - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n| summarize count() by HostName",
"size": 0,
"title": "Host names",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"customWidth": "50",
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n| summarize count() by Facility",
"size": 0,
"title": "Facility",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "categoricalbar"
},
"customWidth": "50",
"name": "query - 7 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n| summarize count() by SeverityLevel",
"size": 0,
"title": "Severity Level",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "categoricalbar"
},
"customWidth": "50",
"name": "query - 7 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Syslog\r\n| where HostName in ({HostName}) or '*' in ({HostName})\r\n| where Facility in ({Facility}) or '*' in ({Facility})\r\n| where SeverityLevel in ({SeverityLevel}) or '*' in ({SeverityLevel})\r\n| summarize count(SeverityLevel) by SeverityLevel \r\n| extend jkey = 1\r\n| join (Syslog\r\n| where HostName in ({HostName}) or '*' in ({HostName})\r\n| where Facility in ({Facility}) or '*' in ({Facility})\r\n| where SeverityLevel in ({SeverityLevel}) or '*' in ({SeverityLevel})\r\n| make-series Trend = count(SeverityLevel) default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SeverityLevel) on SeverityLevel",
"size": 1,
"title": "Severity Trend Summary",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "SeverityLevel",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "debug",
"representation": "question",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "notice",
"representation": "Normal",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "info",
"representation": "1",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "warn",
"representation": "2",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "err",
"representation": "3",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "alert",
"representation": "2",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "emerg",
"representation": "4",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "crit",
"representation": "critical",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
]
}
},
"leftContent": {
"columnMatch": "count_SeverityLevel",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 21,
"formatOptions": {
"min": 0,
"max": 5000,
"palette": "green"
}
},
"showBorder": true,
"sortCriteriaField": "count_SeverityLevel",
"sortOrderField": 2
}
},
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n| summarize SyslogEventCount=count(SeverityLevel) by Facility, HostName\r\n| join (Syslog\r\n | where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n | where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n | where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n | make-series SyslogTimeLine = count(SeverityLevel) default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Facility,HostName) on Facility,HostName\r\n| project-away Facility1, TimeGenerated",
"size": 0,
"title": "Syslog Trend",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Facility",
"formatter": 5
},
{
"columnMatch": "HostName",
"formatter": 5
},
{
"columnMatch": "SyslogEventCount",
"formatter": 8,
"formatOptions": {
"palette": "blue"
}
},
{
"columnMatch": "SyslogTimeLine",
"formatter": 21,
"formatOptions": {
"min": 0,
"max": 1000,
"palette": "green"
}
}
],
"filter": true,
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"HostName"
],
"expandTopLevel": true,
"finalBy": "Facility"
}
}
},
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n| extend Pack=pack_all()\r\n| extend TimeFromNow = now() - TimeGenerated\r\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1s), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago') \r\n| project [\"Time\"]=strcat('🕒', TimeAgo), HostName, SeverityLevel, Facility, SyslogMessage, ProcessName, [\"Details\"]=Pack\r\n",
"size": 2,
"showAnalytics": true,
"title": "Timeline",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "SeverityLevel",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "debug",
"representation": "question",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "emerg",
"representation": "4",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "crit",
"representation": "4",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "err",
"representation": "3",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "warning",
"representation": "2",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "notice",
"representation": "Normal",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "info",
"representation": "info",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "alert",
"representation": "2",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Details",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkLabel": "🔍 View Details",
"linkIsContextBlade": true
}
}
],
"rowLimit": 10000,
"filter": true
}
},
"name": "query - 6"
}
],
"fallbackResourceIds": [],
"fromTemplateId": "sentinel-syslogoverview",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}