search

jertel / dmarc2logstash

Injects POP3-polled DMARC feedback reports into Elasticsearch via Logstash and Filebeat.
MIT License
16 stars 4 forks source link

Lost the setup, any idea of a good kibana dashboard? #6

Closed fribse closed 2 years ago

fribse commented 2 years ago

Hi @jertel

I'm still using your excellent work, unfortunately I had a crash and a bad backup, so I'm starting over on everything with DMarc. Do you know a good Kibana dashboard for the DMarc records?

jertel commented 2 years ago

Here's a Timelion query that might help get you started:

.es(q='_index:dmarc-* AND NOT (auth_dkim_result.keyword:pass AND policy_dkim.keyword:pass) OR (auth_spf_result.keyword:pass AND policy_spf.keyword:pass)',metric=sum:count).label('Fail').color(#4455ff).yaxis(2,min=0).lines(fill=1,width=3), .es(q='_index:dmarc-* AND (auth_dkim_result.keyword:pass AND policy_dkim.keyword:pass) OR (auth_spf_result.keyword:pass AND policy_spf.keyword:pass)',metric=sum:count).label('Pass').color(#44ee66).yaxis(2,min=0).lines(fill=1,width=5),
.es(q='_index:dmarc-* AND NOT (auth_dkim_result.keyword:pass AND policy_dkim.keyword:pass) OR (auth_spf_result.keyword:pass AND policy_spf.keyword:pass)',metric=sum:count).divide(.es(q='_index:dmarc-* AND (auth_dkim_result.keyword:pass AND policy_dkim.keyword:pass) OR (auth_spf_result.keyword:pass AND policy_spf.keyword:pass)',metric=sum:count)).label('Failure Rate').color(orange).yaxis(units=percent,min=0,max=1).points(radius=10,fill=7)