Can someone help me with this or tell me how I can use (pre-made) dashboards?

Hello, I’m relatively new to the topic of Graylog for our company. We are currently using the free version.

I have set up the basics and would now like to focus on creating dashboards.

For that, I have set up a test instance with Graylog 6 and Datanode using a compose file.

services:
  mongodb:
    image: "mongo:5.0"
    volumes:
      - "mongodb_data:/data/db"
    restart: "on-failure"

  datanode:
    hostname: "opensearch"
    image: "${DATANODE_IMAGE:-graylog/graylog-datanode:6.0}"
    environment:
      GRAYLOG_DATANODE_NODE_ID_FILE: "/var/lib/graylog-datanode/node-id"
      GRAYLOG_DATANODE_PASSWORD_SECRET: "${GRAYLOG_PASSWORD_SECRET:?Please configure GRAYLOG_PASSWORD_SECRET in the .env file}"
      GRAYLOG_DATANODE_ROOT_PASSWORD_SHA2: "${GRAYLOG_ROOT_PASSWORD_SHA2:?Please configure GRAYLOG_ROOT_PASSWORD_SHA2 in the .env file}"
      GRAYLOG_DATANODE_MONGODB_URI: "mongodb://mongodb:27017/graylog"
    ulimits:
      memlock:
        hard: -1
        soft: -1
      nofile:
        soft: 65536
        hard: 65536
    ports:
      - "8999:8999/tcp"   # DataNode API
      - "9200:9200/tcp"
      - "9300:9300/tcp"
    volumes:
      - "graylog-datanode:/var/lib/graylog-datanode"
    restart: "on-failure"

  graylog:
    hostname: "server"
    image: "${GRAYLOG_IMAGE:-graylog/graylog:6.0}"
    depends_on:
      mongodb:
        condition: "service_started"
    entrypoint: "/usr/bin/tini --  /docker-entrypoint.sh"
    environment:
      GRAYLOG_NODE_ID_FILE: "/usr/share/graylog/data/data/node-id"
      GRAYLOG_PASSWORD_SECRET: "${GRAYLOG_PASSWORD_SECRET:?Please configure GRAYLOG_PASSWORD_SECRET in the .env file}"
      GRAYLOG_ROOT_PASSWORD_SHA2: "${GRAYLOG_ROOT_PASSWORD_SHA2:?Please configure GRAYLOG_ROOT_PASSWORD_SHA2 in the .env file}"
      GRAYLOG_HTTP_BIND_ADDRESS: "0.0.0.0:9000"
      GRAYLOG_HTTP_EXTERNAL_URI: "http://localhost:9000/"
      GRAYLOG_MONGODB_URI: "mongodb://mongodb:27017/graylog"
      GRAYLOG_HTTP_DISABLE_HOSTNAME_VERIFICATION: "true"
    ports:
    - "5044:5044/tcp"   # Beats
    - "5140:5140/udp"   # Syslog
    - "5140:5140/tcp"   # Syslog
    - "5555:5555/tcp"   # RAW TCP
    - "5555:5555/udp"   # RAW TCP
    - "9000:9000/tcp"   # Server API
    - "12201:12201/tcp" # GELF TCP
    - "12201:12201/udp" # GELF UDP
    - "5514:5514/udp" # HSH UDP Input
    #- "10000:10000/tcp" # Custom TCP port
    #- "10000:10000/udp" # Custom UDP port
    - "13301:13301/tcp" # Forwarder data
    - "13302:13302/tcp" # Forwarder config
    volumes:
      - "graylog_data:/usr/share/graylog/data/data"
      - "graylog_journal:/usr/share/graylog/data/journal"
    restart: "on-failure"

volumes:
  mongodb_data:
  graylog-datanode:
  graylog_data:
  graylog_journal:

Now, I would like to create a dashboard, for example, that shows failed login attempts. So far, I’m using the following query:

application_name:sshd AND message:"authentication failure" OR message:"Invalid user" OR message:"Failed password"

However, I would like to display this in a more organized and clear way, ideally in a chart. I also want to identify brute-force attacks.

Can someone help me with this or tell me how I can use pre-made dashboards?

Best regards

Hello @NTSC,

If you are yet to run through the Dashboards course at the Graylog academy, I would suggest you do so. It’s free and will give you the knowledge required to the above and probably more.

As a quick example see below, fields in my env are not 1 to 1 with yours keep in mind.

Screenshot 2024-09-11 at 09.57.561920×868 116 KB

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.