Exploiting Elasticsearch visualization in Grafana with Table

Print Friendly, PDF & Email

In this document, we're going to exploit the visualization of the data that our Elasticsearch collects, To end up seeing them as no, in Grafana. In future posts we will do other different types of visualization that are very cool to understand what is happening on our network, today it's time for Table format.

The idea is that in Elasticsearch we're storing interesting data from our network, we particularly use it as a collector of different types of records, Logs… of different types, Be from firewall, of an Apache, of an IIS, of a Meerkat… Windows events…

If you want to get some ideas: In this In this document, we saw how to install Meerkata, a very complete and open source IDS and IPS; in This other one In this document we already saw how to install Filebeat in Meerkat to redirect & collect the LOGs in our Elasticsearch, and, we also saw a couple of generic visualizations with Grafana. In This other one In this document, we saw how to collect Windows metrics and in This other one we collect the events from the Event Viewer. We will soon have more documents on how to collect Fortigate LOGs, of an Active Directory, from MySQL, SQL…

GOOD, And why do we want a table? Well, to make our personalized tables with the fields that we are interested in seeing, the same as we can visualize from Kibana when we discover and use Lucene-type queries, well, that's the same but in Grafana, simplifying certain data that a colleague needs, We can paint the values…

A table that we can use to consult (with historical or real-time, to taste) Who connects with whom in our network, To view connections, Network Traffic, Events…

The problem comes because in Grafana 7.x the Table type panel does not bring the option of “Table Transform” where it lets us choose the fields we want to view, and this in Grafana 5.x and 6.x worked just as well. Now we have to make a ñapilla, we will create a Dashboard in a Dashboard, and:

1. Select from display “Table”,

2. We choose DataSource (Elastic-Filebeat in my case)

  • Query: We put the query we want to display in my example, All the Apache logs from my team GOD: “event.module:apache AND host.hostname: god”
  • Metric: Select “Raw Document”

And we apply the changes with “Apply”,

Select the Panel we just created > “Inspect” > “Panel JSON”. And there:

  • Find: “type”: “table”,
  • We replace it with: “type”: “table-old”,

And we apply the changes from “Apply”,

And we will have in “Options” The part of “Table Transformation”, Select “JSON Data” and individually each field we want to visualize, in addition to “Column Styles” being able to rename each column and its formatting, as well as painting values.

And then the good stuff too, is that we can filter by the data that we see in the same table, By selecting some data we can filter it, or on the upper left side we have a field where we can make filters on the visualized data if we are interested, In this example I put “source.ip” and an IP that I want to know how much and what it connects to, in this case what we see are LOGs of an Apache.

And nothing, There we have the table with the fields and filters that we are interested in autorefreshing the data.

Recommended Posts

FortiGate metrics with Prometheus and Grafana
Read
Rules and alerts with ElastAlert 2
Read
Ping metrics with Prometheus and Grafana
Read
Windows metrics with Prometheus and Grafana
Read

Author

by Héctor Herrero 
nheobug@bujarra.com
Autor del blog Bujarra.com Cualquier necesidad que tengas, Do not hesitate to contact me, I will try to help you whenever I can, Sharing is living ;) . Enjoy documents!!!

Exploiting Elasticsearch visualization in Grafana with Sankey

4 of May de 2021

A Podcast for IT - PowerShell for IT Administrators

10 of May de 2021