Configure a Dashboard

A dashboard is a collection of saved searches, queries to make it easier to check servers for events or occurences that are of interest. These will be configured to dispaly a graph to more easily scan or monitor servers. This is the last page of a four-part tutorial: go to the first page if you haven’t yet read the previous pages.

On the previous page, you created two widgets from the search queries you entered, which are in the dashboard you created. You should be viewing that dashboard in Humio Cloud now. Let’s see what you can do in a dashboard.

Let’s reposition and resize the widgets. Click on the Edit button at the top right. Then drag the two widgets into different positions. Resize them with your mouse. It’s a little delicate to get your mouse in the right position to widen a widget, but don’t get discouraged.

In the right margin, you’ll see that you can change the name of the dashboard and the description. On each widget it also says Edit. If you click on one, the right margin will show the properties for the widget. This will allow you to change the titles and descriptions for them. For time-chart widget, you can change how the graph is displayed.

If you want to change a query behind a widget, after clicking the main Edit button, you’ll see a few more buttons appear to the left of it. Click on Show Queries to reveal the queries for each widget. You can modify them here, if you want. Or you can copy one of the queries and return to the Search page to test any changes before changing a widget.

The two widgets we have so far are generated by queries of that involve data from the vector data shipper. Let’s add a widget that will use data that rsyslog is sending Humio. Before doing this, let’s generate some security events we might want to monitor. Open a terminal window on your computer and try to log into your server with a user name that doesn’t exist on your server. Enter something like the first line below, but with your domain name or IP address:

ssh bob@example.com
bob@example.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Example 7, Failed Log In Attempt.
Figure 7: Data Sources for a Repository

The second line here is what’s returned since this server requires an encryption key. Try to log in with at least two other fake user names, just so we’ll have a few entries in the Humio repository.

When you’ve done that, go back to Humio Cloud in your web browser and click on Search. Then enter bob, or whatever fake user name you entered, in the search field to find the entry for that failed attempt to log in. Click on the entry it shows to see more information at the bottom, similar to the screenshot in Figure 7.

Near the top of the list of field names and their values, notice the field just after the repository name. It shows the type with a value of syslog. That’s coming from rsyslog on your server.

Much further down the list of fields there’s a message field with a value that says, Invalid user bob… — or something similar. Let’s use that text to search for all attempts to log in with an invalid user, just the Invalid user part without the user name.

The text below is a pretty complicated query. It’s use regex to parse the details of the full message. If you compare this regex expression to the results when we searched only on the user name, you’ll see how it’s parsing the message text to return just the source IP address and port, and the user name. Don’t get too caught up trying to decypher the regex expression, though. For now, copy and paste the query into your search field and run it:

/Invalid user (?<user>\w+) from (?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port (?<src_port>\d+)/
| table([src_ip, src_port, user])

Example 8, Query to Search & Parse Entries for Failed Log In Attempts.

The results should show a table listing all of the times you tried to log in with a fake name. Normally, though, if you see many attempts from the same IP address, you might want to block that port: it might be a hacker. If you recognize the name as being similar to an actual user (e.g., Bob’s user name is actually rob), you might want to talk to that user to solve the problem.

Let’s save this query to a widget to put in the dashboard. Click on the Save As button and choose Dashboard Widget. Give it a title like, Invalid User Login Attempts and maybe a description. Then save it and go to the dashboard to see how it looks. From the dashboard, click the Edit button again and move all of the widgets around and resize them to accomodate the new widget.

Figure 8: Data Sources for a Repository

While still in Edit mode, click on the Add Note button. This will create a simple widget in which you may add text describing the dashboard or some other information related to the other widgets. It could be a note for yourself, or it could instruct other admins. as to what to do when they see something abnormal in the widgets. The note widget accepts basic markdown formatting and you can inlude links to other web pages. With all of this in mind, write something in that note widget and save it. After that, you may want to rearrange and resize the widgets, again.

While you’re playing with the dashboard, notice there’s a button at the top that probably reads, Last 24H (Live). This means that the data for all of the widgets is for entries in the repository for the past twenty-four hours. The Live part means that the results in the widgets will change as events happen. Test that by either attempting again to open a web page that doesn’t exist on your server, or logging in with another invalid user name. You should see the results change in at least one of the widgets.

Try also changing the time frame from twenty-four hours to the past thirty-days, live. This will give you more interesting results in your widgets. Your dashboard will look something like the screenshot in Figure 8 here.

Conclusion

In this tutorial you learned how to create a repository and prepare it for data, and how to set up data shippers on your server to send log entries and metrics to Humio. You also learned a little more about searching a repository and how to save those search queries to widgets. You learned how to make a time chart widget and a table widget, as well as a note widget. And you learn the basics of how to arrange and modify a dashboard of widgets.

You now know how to get started with Humio, and have a good sense of what you can do with it. Of course, there are many more logging activities and server metrics you can monitor, and many more things you can do with Humio. For example, we didn’t talk about creating alerts, for when parameters are exceeded or events occur, to send you notifications by email or some other method. We also didn’t go into the various parsers available. There’s so much more.

Before investigating all of the possibilities, to solidify what you learned, we recommend you read through the Foundational Concepts of this Training section. And we recommend you experiment plenty more with your trial repository. Related to that, when you’re ready, contact us to make it a permanent Humio Cloud account. We can also help you to make it part of your production system.