I created these dashboards for splunk to detect some attacks:
Apache Error Log Monitoring Dashboard
version="1.1" theme="dark">
Apache Error Log Monitoring Dashboard
Monitors Apache error logs for potential security events and path traversal attempts
submitButton="false" autoRun="true">
Amount Of Errors Over Time
source="/var/log/apache2/error.log" sourcetype="apache_error"
| eval mytime=strftime(_time,"%Y-%m-%d %H:%M")
| stats count as error_count by mytime
| sort -error_count
-24h
now
name="charting.chart">pie
name="charting.drilldown">none
Error Activity Over Time
source="/var/log/apache2/error.log" sourcetype="apache_error"
| timechart span=5m count by host
-24h
now
name="charting.chart">line
name="charting.drilldown">none
name="charting.legend.placement">bottom
Path Traversal Attempts
source="/var/log/apache2/error.log" sourcetype="apache_error" "AH00126: Invalid URI" OR "/../" OR ".." OR "%2E%2E"
| rex field=_raw "GET (?<request_path>[^ ]+) HTTP"
| table _time client request_path
| sort -_time
-24h
now
name="drilldown">none
Admin Page Probing
source="/var/log/apache2/error.log" sourcetype="apache_error" "admin" OR "administrator" OR "login" OR "cp" OR "controlpanel"
| rex field=_raw "script '(?<requested_script>[^']+)'"
| stats count by requested_script
| sort -count
-24h
now
name="charting.chart">bar
name="charting.drilldown">none
name="charting.chart.stackMode">default
name="charting.legend.placement">bottom
Top Client IPs
source="/var/log/apache2/error.log" sourcetype="apache_error"
| rex field=_raw "\[client (?<client_ip>[^\:]+)\:(?<client_port>\d+)\]"
| stats count by client_ip
| sort -count
-24h
now
name="charting.chart">column
name="charting.drilldown">none
Process IDs with Errors
source="/var/log/apache2/error.log" sourcetype="apache_error"
| rex field=_raw "\[pid (?<process_id>\d+)\]"
| stats count by process_id
| sort -count
-24h
now
name="charting.chart">pie
name="charting.drilldown">none
Recent Critical Events
source="/var/log/apache2/error.log" sourcetype="apache_error" "Invalid URI" OR "/etc/shadow" OR "/etc/passwd" OR "../" OR "%2E%2E" OR "/.."
| rex field=_raw "GET (?<request_path>[^ ]+)"
| rex field=_raw "\[client (?<client_ip>[^\:]+)\:(?<client_port>\d+)\]"
| table _time client_ip request_path
| sort -_time
-24h
now
name="count">10
name="drilldown">none
Search for Suspicious Activity
type="text" token="search_term" searchWhenChanged="true">
Search Term
shadow
source="/var/log/apache2/error.log" sourcetype="apache_error" "$search_term$"
| table _time _raw
| sort -_time
-24h
now
name="count">5
name="drilldown">nonePath Traversal Attempts
version="1.1" theme="dark">
Path Traversal Attempts
Top Missing Scripts
index=main sourcetype=apache_error "not found or unable to stat"
| rex field=_raw "script '(?<script_path>[^']+)' not found"
| stats count by script_path
| sort -count
name="charting.chart">bar
name="charting.legend.placement">right
name="height">250
Path Traversal Attempts
index=main sourcetype=apache_error "Invalid URI"
| regex _raw="(\.\./){2,}"
| stats count by host, source, _time
| sort -_time
name="charting.chart">column
name="height">250
Recent PHP Errors
index=main sourcetype=apache_error "php7:error"
| rex field=_raw "script '(?<script>[^']+)' not found"
| table _time, script, client, host
name="count">10
Uncommon Events
index=main sourcetype=apache_error
| rare _raw
| table _time, _raw
name="count">10SSH Brute Force Attack Dashboard
version="1.1" theme="light">
SSH Brute Force Attack Dashboard
Monitor and detect SSH brute force activities in real time
SSH Login Attempts Over Time
index=* sourcetype="auth"
| search "ssh*" AND ("Failed password" OR "authentication failure" OR "Invalid user")
| bucket span=1m _time
| stats count as login_attempts by _time
-24h@h
now
name="charting.chart">line
Top Attacking IPs
index=* sourcetype="auth"
| search "ssh*" AND ("Failed password" OR "authentication failure" OR "Invalid user")
| eval src_ip=coalesce(src_ip, source_ip, src, clientip, rhost)
| stats count by src_ip
| sort -count
| head 10
-24h@h
now
name="charting.chart">bar
Top Targeted Usernames
index=* sourcetype="auth"
| search "ssh*" AND ("Failed password" OR "authentication failure" OR "Invalid user")
| rex field=_raw "(?:for|user)\s+(?:invalid user\s+)?(?<user>\w+)"
| stats count by user
| sort -count
| head 10
-24h@h
now
name="charting.chart">pie
Success vs Failure Attempts
index="*" sourcetype="auth" "ssh*"
| eval status=case(
like(_raw, "%Accepted password%"), "Success",
like(_raw, "%Failed password%") OR like(_raw, "%authentication failure%") OR like(_raw, "%Invalid user%"), "Failure"
)
| stats count by status
-24h@h
now
name="charting.chart">pie
Detailed SSH Brute Force Attempts
index=* sourcetype="auth"
| search "ssh*" AND ("Failed password" OR "authentication failure" OR "Invalid user")
| rex field=_raw "(?:for|user)\s+(?:invalid user\s+)?(?<user>\w+)"
| eval src_ip=coalesce(src_ip, source_ip, src, clientip, rhost)
| table _time, src_ip, user, host, _raw
-24h@h
now