Dev.to

Splunk Dashboards

I created these dashboards for splunk to detect some attacks: Apache Error Log Monitoring Dashboard Apache Error Log Monitoring Dashboard Monitors Apache error logs for potential security events and path traversal attempts Amount Of Errors Over Time source="/var/log/apache2/error.log" sourcetype="apache_error" | eval mytime=strftime(_time,"%Y-%m-%d %H:%M") | stats count as error_count by mytime | sort -error_count -24h now pie none Error Activity Over Time source="/var/log/apache2/error.log" sourcetype="apache_error" | timechart span=5m count by host -24h now line none bottom Path Traversal Attempts source="/var/log/apache2/error.log" sourcetype="apache_error" "AH00126: Invalid URI" OR "/../" OR ".." OR "%2E%2E" | rex field=_raw "GET (?[^ ]+) HTTP" | table _time client request_path | sort -_time -24h now none Admin Page Probing source="/var/log/apache2/error.log" sourcetype="apache_error" "admin" OR "administrator" OR "login" OR "cp" OR "controlpanel" | rex field=_raw "script '(?[^']+)'" | stats count by requested_script | sort -count -24h now bar none default bottom Top Client IPs source="/var/log/apache2/error.log" sourcetype="apache_error" | rex field=_raw "\[client (?[^\:]+)\:(?\d+)\]" | stats count by client_ip | sort -count -24h now column none Process IDs with Errors source="/var/log/apache2/error.log" sourcetype="apache_error" | rex field=_raw "\[pid (?\d+)\]" | stats count by process_id | sort -count -24h now pie none Recent Critical Events source="/var/log/apache2/error.log" sourcetype="apache_error" "Invalid URI" OR "/etc/shadow" OR "/etc/passwd" OR "../" OR "%2E%2E" OR "/.." | rex field=_raw "GET (?[^ ]+)" | rex field=_raw "\[client (?[^\:]+)\:(?\d+)\]" | table _time client_ip request_path | sort -_time -24h now 10 none Search for Suspicious Activity Search Term shadow source="/var/log/apache2/error.log" sourcetype="apache_error" "$search_term$" | table _time _raw | sort -_time -24h now 5 none Path Traversal Attempts Path Traversal Attempts Top Missing Scripts index=main sourcetype=apache_error "not found or unable to stat" | rex field=_raw "script '(?[^']+)' not found" | stats count by script_path | sort -count bar right 250 Path Traversal Attempts index=main sourcetype=apache_error "Invalid URI" | regex _raw="(\.\./){2,}" | stats count by host, source, _time | sort -_time column 250 Recent PHP Errors index=main sourcetype=apache_error "php7:error" | rex field=_raw "script '(?[^']+)' not found" | table _time, script, client, host 10 Uncommon Events index=main sourcetype=apache_error | rare _raw | table _time, _raw 10 SSH Brute Force Attack Dashboard SSH Brute Force Attack Dashboard Monitor and detect SSH brute force activities in real time SSH Login Attempts Over Time index=* sourcetype="auth" | search "ssh*" AND ("Failed password" OR "authentication failure" OR "Invalid user") | bucket span=1m _time | stats count as login_attempts by _time -24h@h now line Top Attacking IPs index=* sourcetype="auth" | search "ssh*" AND ("Failed password" OR "authentication failure" OR "Invalid user") | eval src_ip=coalesce(src_ip, source_ip, src, clientip, rhost) | stats count by src_ip | sort -count | head 10 -24h@h now bar

May 3, 2025 - 06:35
 0
Splunk Dashboards

I created these dashboards for splunk to detect some attacks:

Apache Error Log Monitoring Dashboard 

 version="1.1" theme="dark">
  Apache Error Log Monitoring Dashboard
  Monitors Apache error logs for potential security events and path traversal attempts
   submitButton="false" autoRun="true">
  
    
      </span>Amount Of Errors Over Time<span class="nt">
      
        
          source="/var/log/apache2/error.log" sourcetype="apache_error" 
            | eval mytime=strftime(_time,"%Y-%m-%d %H:%M")
            | stats count as error_count by mytime
            | sort -error_count
            
          -24h
          now
        
         name="charting.chart">pie
         name="charting.drilldown">none
      
    
    
      </span>Error Activity Over Time<span class="nt">
      
        
          source="/var/log/apache2/error.log" sourcetype="apache_error" 
          | timechart span=5m count by host
          -24h
          now
        
         name="charting.chart">line
         name="charting.drilldown">none
         name="charting.legend.placement">bottom
      
    
  
  
    
      </span>Path Traversal Attempts<span class="nt">
      source="/var/log/apache2/error.log" sourcetype="apache_error" "AH00126: Invalid URI" OR "/../" OR ".." OR "%2E%2E"
            | rex field=_raw "GET (?<request_path>[^ ]+) HTTP" 
            | table _time client request_path
            | sort -_time-24hnow name="drilldown">none
      

        
          
          
          
        
        

    
  
  
    
      </span>Admin Page Probing<span class="nt">
      
        
          source="/var/log/apache2/error.log" sourcetype="apache_error" "admin" OR "administrator" OR "login" OR "cp" OR "controlpanel" 
          | rex field=_raw "script '(?<requested_script>[^']+)'" 
          | stats count by requested_script 
          | sort -count
          -24h
          now
        
         name="charting.chart">bar
         name="charting.drilldown">none
         name="charting.chart.stackMode">default
         name="charting.legend.placement">bottom
      
    
  
  
    
      </span>Top Client IPs<span class="nt">
      
        
          source="/var/log/apache2/error.log" sourcetype="apache_error" 
          | rex field=_raw "\[client (?<client_ip>[^\:]+)\:(?<client_port>\d+)\]" 
          | stats count by client_ip 
          | sort -count
          -24h
          now
        
         name="charting.chart">column
         name="charting.drilldown">none
      
    
    
      </span>Process IDs with Errors<span class="nt">
      
        
          source="/var/log/apache2/error.log" sourcetype="apache_error" 
          | rex field=_raw "\[pid (?<process_id>\d+)\]" 
          | stats count by process_id 
          | sort -count
          -24h
          now
        
         name="charting.chart">pie
         name="charting.drilldown">none
      
    
  
  
    
      </span>Recent Critical Events<span class="nt">
      source="/var/log/apache2/error.log" sourcetype="apache_error" "Invalid URI" OR "/etc/shadow" OR "/etc/passwd" OR "../" OR "%2E%2E" OR "/.." 
          | rex field=_raw "GET (?<request_path>[^ ]+)" 
          | rex field=_raw "\[client (?<client_ip>[^\:]+)\:(?<client_port>\d+)\]" 
          | table _time client_ip request_path 
          | sort -_time-24hnow name="count">10
         name="drilldown">none
      

        
          
          
          
        
        

    
  
  
    
      </span>Search for Suspicious Activity<span class="nt">
       type="text" token="search_term" searchWhenChanged="true">
        Search Term
        shadow
      
      source="/var/log/apache2/error.log" sourcetype="apache_error" "$search_term$" 
          | table _time _raw 
          | sort -_time-24hnow name="count">5
         name="drilldown">none

Path Traversal Attempts 


 version="1.1" theme="dark">
  Path Traversal Attempts
  
  
    
      </span>Top Missing Scripts<span class="nt">
      
        
          index=main sourcetype=apache_error "not found or unable to stat" 
| rex field=_raw "script '(?<script_path>[^']+)' not found" 
| stats count by script_path 
| sort -count
        
         name="charting.chart">bar
         name="charting.legend.placement">right
         name="height">250
      
    
    
      </span>Path Traversal Attempts<span class="nt">
      
        
          index=main sourcetype=apache_error "Invalid URI" 
| regex _raw="(\.\./){2,}" 
| stats count by host, source, _time 
| sort -_time
        
         name="charting.chart">column
         name="height">250
      
    
  
  
    
      </span>Recent PHP Errors<span class="nt">
      index=main sourcetype=apache_error "php7:error" 
| rex field=_raw "script '(?<script>[^']+)' not found" 
| table _time, script, client, host name="count">10
      

        
          
        
        

    
    
      </span>Uncommon Events<span class="nt">
      index=main sourcetype=apache_error 
| rare _raw 
| table _time, _raw name="count">10

SSH Brute Force Attack Dashboard 

 version="1.1" theme="light">
  SSH Brute Force Attack Dashboard
  Monitor and detect SSH brute force activities in real time
  
    
      </span>SSH Login Attempts Over Time<span class="nt">
      
        
          
            index=* sourcetype="auth"
            | search "ssh*" AND ("Failed password" OR "authentication failure" OR "Invalid user")
            | bucket span=1m _time
            | stats count as login_attempts by _time
          
          -24h@h
          now
        
         name="charting.chart">line
      
    

    
      </span>Top Attacking IPs<span class="nt">
      
        
          
            index=* sourcetype="auth"
            | search "ssh*" AND ("Failed password" OR "authentication failure" OR "Invalid user")
            | eval src_ip=coalesce(src_ip, source_ip, src, clientip, rhost)
            | stats count by src_ip
            | sort -count
            | head 10
          
          -24h@h
          now
        
         name="charting.chart">bar
      
    
  

  
    
      </span>Top Targeted Usernames<span class="nt">
      
        
          
            index=* sourcetype="auth"
            | search "ssh*" AND ("Failed password" OR "authentication failure" OR "Invalid user")
            | rex field=_raw "(?:for|user)\s+(?:invalid user\s+)?(?<user>\w+)"
            | stats count by user
            | sort -count
            | head 10
          
          -24h@h
          now
        
         name="charting.chart">pie
      
    

    
      </span>Success vs Failure Attempts<span class="nt">
      
        
          
            index="*" sourcetype="auth" "ssh*" 
| eval status=case(
    like(_raw, "%Accepted password%"), "Success",
    like(_raw, "%Failed password%") OR like(_raw, "%authentication failure%") OR like(_raw, "%Invalid user%"), "Failure"
)
| stats count by status
          
          -24h@h
          now
        
         name="charting.chart">pie
      
    
  

  
    
      </span>Detailed SSH Brute Force Attempts<span class="nt">
      
            index=* sourcetype="auth"
            | search "ssh*" AND ("Failed password" OR "authentication failure" OR "Invalid user")
            | rex field=_raw "(?:for|user)\s+(?:invalid user\s+)?(?<user>\w+)"
            | eval src_ip=coalesce(src_ip, source_ip, src, clientip, rhost)
            | table _time, src_ip, user, host, _raw
          -24h@hnow
Read More

Tags:

Previous Article

Why You Should Use Only One <caption> in React Tables (and How to Add a Footer)

Next Article

The Future of Philanthropy: Funding for Blockchain in Charitable Endeavors

Related Posts

How You Can Build a Dynamic Star Rating Component in React.js (Full, Half, and Empty Stars Included)

How You Can Build a Dynamic Star Rating Component in Re...

Apr 28, 2025  0

HTML Basics: Learn HTML for Beginners Step by Step

HTML Basics: Learn HTML for Beginners Step by Step

May 3, 2025  0

Using "Function as Children" in React

Using "Function as Children" in React

Apr 27, 2025  0