Providing a good "sample" audit log dashboards

:bulb:Audit log default dashboards

As a follow up of a discussion with @askids

Some time ago we created a proof of concept in which we got inspiration from the “load sample data” cards you see in the vanilla Kibana:

And created a ROR audit dashboard card with a button to automatically:

  1. Create an index pattern readonlyrest-audit-*
  2. Create some basic visualizations in a sample dashboard

The resulting dashboard contained some very basic example of the insights that can be obtained from the default ROR audit log data points.
I.e.

  • Processing time (time of response - time of request)
  • Stats on what indices are hit most
  • Breakdown on what users hog most resources (cumulative req. processing time per user)
  • Authentication failures graph
  • Actions breakdown

From what I can see, the data we are able to extract from ROR can be worth under at least two main aspects: security audit, and performance audit.

So I was thinking to maybe create two canned dashboards. But because I know our customers tend to be much more knowledgeable than us, thanks to their day to day experience with the product, I would like to open this task to ideas and dashboards contribution to the forum.

:ear: Open questions for ROR users!

Given the list of fields we collect in ROR audit logs:

    "headers": [
      "Host",
      "Connection",
      "Content-Length",
      "Authorization"
    ],
    "acl_history": "[KIBANA_SERVER-> RULES:[auth_key->false]], [PERSONAL_GRP-> RULES:[groups->false]], [ADMIN_GRP-> RULES:[groups->true, kibana_access->true], RESOLVED:[user=admin;group=Administrators;av_groups=Administrators]], [Infosec-> RULES:[groups->true, kibana_access->false], RESOLVED:[user=admin;group=Infosec;av_groups=Infosec]]",
    "origin": "127.0.0.1/32",
    "match": true,
    "final_state": "ALLOWED",
    "destination": "127.0.0.1/32",
    "task_id": 5383,
    "type": "RRAdminRequest",
    "req_method": "GET",
    "path": "/_readonlyrest/admin/config",
    "indices": [],
    "@timestamp": "2020-05-18T14:10:12Z",
    "content_len_kb": 0,
    "processingMillis": 0,
    "action": "cluster:admin/rradmin/refreshsettings",
    "block": "{ name: 'ADMIN_GRP', policy: ALLOW, rules: [groups,kibana_access]",
    "id": "648726225-1470723316#5383",
    "content_len": 0,
    "user": "admin"
  
  1. Is there any other fields you would like ROR to ingest by default?

  2. Name a visualization you would see fit in the “Security Audit” dashboard (i.e. Bar chart: x=time, y= # of failed authentication)

  3. Name a visualization yould see fit in the "Performance Audit" dashboard (i.e. Pie chart: users that consumed most processing time today)

  4. Any other use case we should cover apart from Security & Performance?

Thank you! :heart:

@sscarduzio I was out for 3 months. Got back to work only recently. I will start looking at this in coming weeks and will pass on feedback as and when I try it out. Upgrading to 1.20 is next on my list.

1 Like