618 строки
22 KiB
JSON
618 строки
22 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "# Syslog Overview\r\n\r\nThis workbook is designed to show an overview about the data ingested through Syslog.\r\nThis can span across multiple wokspaces as well.\r\n\r\nPlease use the filters make the needed chioce for \r\n\r\n- Subscriptions\r\n- TimeRange\r\n- Wokspaces\r\n- HostNames\r\n- Facilities\r\n- Severity Level"
|
|
},
|
|
"name": "text - 1"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "21dea311-7dfc-41fb-99f6-d72f0f0c33c9",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Subscriptions",
|
|
"type": 6,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::1",
|
|
"value::all"
|
|
],
|
|
"includeAll": false
|
|
}
|
|
},
|
|
{
|
|
"id": "9b289ad1-7eaa-411d-b2b0-43c69cf5aa14",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "TimeRange",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 300000
|
|
},
|
|
{
|
|
"durationMs": 900000
|
|
},
|
|
{
|
|
"durationMs": 1800000
|
|
},
|
|
{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
]
|
|
},
|
|
"value": {
|
|
"durationMs": 43200000
|
|
}
|
|
},
|
|
{
|
|
"id": "0698db8c-7a3a-4aec-bfb2-eb59942b0375",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Workspace",
|
|
"type": 5,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "where type =~ 'microsoft.operationalinsights/workspaces'",
|
|
"crossComponentResources": [
|
|
"{Subscriptions}"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": []
|
|
},
|
|
"queryType": 1,
|
|
"resourceType": "microsoft.resourcegraph/resources",
|
|
"value": []
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "Global"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"parameters": [
|
|
{
|
|
"id": "1c90369f-1844-4d13-a46d-43a3359be543",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "HostName",
|
|
"type": 5,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "Syslog\r\n| distinct HostName",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "5daf3466-52d9-4674-b14d-d9cf72444235",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Facility",
|
|
"type": 5,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| distinct Facility",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "3e5d94d9-5faf-49df-af2f-f93f7f858fc9",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "SeverityLevel",
|
|
"type": 5,
|
|
"isRequired": true,
|
|
"multiSelect": true,
|
|
"quote": "'",
|
|
"delimiter": ",",
|
|
"query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| distinct SeverityLevel",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"value": [
|
|
"value::all"
|
|
],
|
|
"typeSettings": {
|
|
"additionalResourceOptions": [
|
|
"value::all"
|
|
],
|
|
"showDefault": false
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
{
|
|
"id": "1b53f2a7-c0e9-48a1-9e9c-213c6581182d",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Message",
|
|
"type": 1,
|
|
"isRequired": true,
|
|
"query": "Syslog\r\n| distinct Facility\r\n| summarize Selected = countif(Facility in ({Facility:value})), Total = count()\r\n| project Message = strcat(' ', Selected, ' out of ', Total, ' facilities selected')",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"isHiddenWhenLocked": true,
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "Local"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "|Hosts|Facility|Severity|\r\n|--|--|--|--|\r\n|{HostName}|{Facility}|{SeverityLevel}|\r\n\r\n#### {Message}"
|
|
},
|
|
"name": "text - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n| summarize count() by HostName, bin(TimeGenerated,{TimeRange:grain})",
|
|
"size": 0,
|
|
"title": "Data Ingestion Trend",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "timechart"
|
|
},
|
|
"name": "query - 10"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n| summarize arg_max(TimeGenerated,*) by HostName\r\n| extend ['Last Log Seen Ago'] = datetime_diff('second',now(), TimeGenerated)\r\n| order by ['Last Log Seen Ago'] desc \r\n| project HostName, ['Last Log Seen Ago']\r\n| join (Syslog\r\n | where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n | where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n | where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n | make-series SyslogIngestionTrend = count(SeverityLevel) default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by HostName) on HostName",
|
|
"size": 0,
|
|
"title": "Host Heartbeat & Trend",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Last Log Seen Ago",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "red"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 24,
|
|
"options": {
|
|
"style": "decimal"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "HostName1",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "SyslogIngestionTrend",
|
|
"formatter": 10,
|
|
"formatOptions": {
|
|
"palette": "green"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 5
|
|
}
|
|
],
|
|
"filter": true
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 11"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n| summarize count() by HostName",
|
|
"size": 0,
|
|
"title": "Host names",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "barchart"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 7"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n| summarize count() by Facility",
|
|
"size": 0,
|
|
"title": "Facility",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "categoricalbar"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 7 - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n| summarize count() by SeverityLevel",
|
|
"size": 0,
|
|
"title": "Severity Level",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "categoricalbar"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 7 - Copy - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Syslog\r\n| where HostName in ({HostName}) or '*' in ({HostName})\r\n| where Facility in ({Facility}) or '*' in ({Facility})\r\n| where SeverityLevel in ({SeverityLevel}) or '*' in ({SeverityLevel})\r\n| summarize count(SeverityLevel) by SeverityLevel \r\n| extend jkey = 1\r\n| join (Syslog\r\n| where HostName in ({HostName}) or '*' in ({HostName})\r\n| where Facility in ({Facility}) or '*' in ({Facility})\r\n| where SeverityLevel in ({SeverityLevel}) or '*' in ({SeverityLevel})\r\n| make-series Trend = count(SeverityLevel) default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SeverityLevel) on SeverityLevel",
|
|
"size": 1,
|
|
"title": "Severity Trend Summary",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "SeverityLevel",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "debug",
|
|
"representation": "question",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "notice",
|
|
"representation": "Normal",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "info",
|
|
"representation": "1",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "warn",
|
|
"representation": "2",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "err",
|
|
"representation": "3",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "alert",
|
|
"representation": "2",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "emerg",
|
|
"representation": "4",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "crit",
|
|
"representation": "critical",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "success",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "count_SeverityLevel",
|
|
"formatter": 12,
|
|
"formatOptions": {
|
|
"palette": "auto"
|
|
},
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"maximumSignificantDigits": 3,
|
|
"maximumFractionDigits": 2
|
|
}
|
|
}
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "Trend",
|
|
"formatter": 21,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"max": 5000,
|
|
"palette": "green"
|
|
}
|
|
},
|
|
"showBorder": true,
|
|
"sortCriteriaField": "count_SeverityLevel",
|
|
"sortOrderField": 2
|
|
}
|
|
},
|
|
"name": "query - 4"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n| summarize SyslogEventCount=count(SeverityLevel) by Facility, HostName\r\n| join (Syslog\r\n | where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n | where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n | where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n | make-series SyslogTimeLine = count(SeverityLevel) default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Facility,HostName) on Facility,HostName\r\n| project-away Facility1, TimeGenerated",
|
|
"size": 0,
|
|
"title": "Syslog Trend",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Facility",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "HostName",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "SyslogEventCount",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "SyslogTimeLine",
|
|
"formatter": 21,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"max": 1000,
|
|
"palette": "green"
|
|
}
|
|
}
|
|
],
|
|
"filter": true,
|
|
"hierarchySettings": {
|
|
"treeType": 1,
|
|
"groupBy": [
|
|
"HostName"
|
|
],
|
|
"expandTopLevel": true,
|
|
"finalBy": "Facility"
|
|
}
|
|
}
|
|
},
|
|
"name": "query - 5"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Syslog\r\n| where HostName in~ ({HostName}) or '*' in~ ({HostName})\r\n| where Facility in~ ({Facility}) or '*' in~ ({Facility})\r\n| where SeverityLevel in~ ({SeverityLevel}) or '*' in~ ({SeverityLevel})\r\n| extend Pack=pack_all()\r\n| extend TimeFromNow = now() - TimeGenerated\r\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1s), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago') \r\n| project [\"Time\"]=strcat('🕒', TimeAgo), HostName, SeverityLevel, Facility, SyslogMessage, ProcessName, [\"Details\"]=Pack\r\n",
|
|
"size": 2,
|
|
"showAnalytics": true,
|
|
"title": "Timeline",
|
|
"timeContextFromParameter": "TimeRange",
|
|
"showExportToExcel": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"crossComponentResources": [
|
|
"{Workspace}"
|
|
],
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "SeverityLevel",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "icons",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "debug",
|
|
"representation": "question",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "emerg",
|
|
"representation": "4",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "crit",
|
|
"representation": "4",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "err",
|
|
"representation": "3",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "warning",
|
|
"representation": "2",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "notice",
|
|
"representation": "Normal",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "info",
|
|
"representation": "info",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "alert",
|
|
"representation": "2",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "success",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Details",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "CellDetails",
|
|
"linkLabel": "🔍 View Details",
|
|
"linkIsContextBlade": true
|
|
}
|
|
}
|
|
],
|
|
"rowLimit": 10000,
|
|
"filter": true
|
|
}
|
|
},
|
|
"name": "query - 6"
|
|
}
|
|
],
|
|
"fallbackResourceIds": [],
|
|
"fromTemplateId": "sentinel-syslogoverview",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
}
|