Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
150 lines (149 sloc) 6.86 KB
<?xml version="1.0" encoding="utf-8"?><form>
<label>Access Control Lists</label>
<search id="check_multi_tenancy">
<query>| `check_multi_tenancy`</query>
<done>
<condition match="$job.resultCount$ != 0">
<set token="multi_tenancy">true</set>
</condition>
<condition>
<unset token="multi_tenancy"></unset>
</condition>
</done>
</search>
<search id="baseSearch_acl">
<query>eventtype=cisco_ios-acl_log index IN ($tenant_indexes$) | strcat protocol "://" dest_port protoDestPort</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<fieldset autoRun="true">
<input type="multiselect" token="tenant_indexes" depends="$multi_tenancy$">
<label>Tenant</label>
<fieldForLabel>tenant_name</fieldForLabel>
<fieldForValue>index</fieldForValue>
<search>
<query>| `get_tenants_for_user_role($env:user$)`</query>
</search>
<default>*</default>
<delimiter>,</delimiter>
<choice value="*">All</choice>
</input>
<input type="time">
<default>Last 60 minutes</default>
</input>
</fieldset>
<row>
<panel>
<chart>
<title>Protocols by action</title>
<search base="baseSearch_acl">
<query>
| chart sum(packets) over action BY protoDestPort
</query>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">bar</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
<panel>
<chart>
<title>Top blocked ports</title>
<search base="baseSearch_acl">
<query>search action=blocked | top protoDestPort</query>
</search>
<option name="charting.chart">pie</option>
</chart>
</panel>
<panel>
<chart>
<title>Top ACE Correlation Tags</title>
<search>
<!--
| pivot Cisco_IOS_Event Access_List_Event count(correlation_tag) AS "Count of correlation_tag" SPLITROW correlation_tag AS "correlation_tag" SORT 100 correlation_tag
-->
<query>
| tstats count(Cisco_IOS_Event.correlation_tag) AS "Count of correlation_tag" from datamodel=Cisco_IOS_Event where (nodename = Cisco_IOS_Event.Access_List_Event) Cisco_IOS_Event.index IN ($tenant_indexes$) groupby Cisco_IOS_Event.correlation_tag prestats=true | stats dedup_splitvals=t count(Cisco_IOS_Event.correlation_tag) AS "Count of correlation_tag" by Cisco_IOS_Event.correlation_tag | sort limit=100 Cisco_IOS_Event.correlation_tag | fields - _span | rename Cisco_IOS_Event.correlation_tag AS correlation_tag | fillnull "Count of correlation_tag" | fields correlation_tag, "Count of correlation_tag"
</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
</row>
<row>
<panel>
<map>
<title>Events by location</title>
<search base="baseSearch_acl">
<query>
search src_ip=* OR dest_ip=* | iplocation src_ip dest_ip | geostats sum(packets) by action
</query>
</search>
<option name="mapping.data.maxClusters">100</option>
<option name="mapping.drilldown">all</option>
<option name="mapping.map.center">(0,0)</option>
<option name="mapping.map.zoom">2</option>
<option name="mapping.markerLayer.markerMaxSize">50</option>
<option name="mapping.markerLayer.markerMinSize">10</option>
<option name="mapping.markerLayer.markerOpacity">0.8</option>
<option name="mapping.tileLayer.maxZoom">7</option>
<option name="mapping.tileLayer.minZoom">0</option>
<option name="drilldown">all</option>
</map>
</panel>
<panel>
<chart>
<title>Dropped or rate-limited packets</title>
<search>
<!--
| pivot Cisco_IOS_Event Cisco_IOS_Event sum(packets) AS "Dropped or rate-limited packets" SPLITROW _time AS _time PERIOD auto SPLITCOL host FILTER mnemonic is IPACCESSLOGRL SORT 100 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 10 SHOWOTHER 1
-->
<query>
| tstats sum(Cisco_IOS_Event.packets) AS "Dropped or rate-limited packets" from datamodel=Cisco_IOS_Event where (nodename = Cisco_IOS_Event) (Cisco_IOS_Event.mnemonic=IPACCESSLOGRL) Cisco_IOS_Event.index IN ($tenant_indexes$) groupby _time host prestats=true | eval host='host', _time='_time' | timechart dedup_splitvals=t limit=10 useother=t sum(Cisco_IOS_Event.packets) AS "Dropped or rate-limited packets" by host format=$$VAL$$:::$$AGG$$ | sort limit=100 _time | fields _time *
</query>
</search>
<option name="charting.chart">area</option>
</chart>
</panel>
</row>
<row>
<panel>
<table>
<search>
<query>
eventtype="cisco_ios-acl_log" index IN ($tenant_indexes$) NOT [inputlookup cisco_ios_acl_excluded_ips | fields src_ip] | table _time,host,rule,action,transport,src_ip,src_port,dest_ip,dest_port,correlation_tag
</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<title>Access Control List logs (excluding hits from local management IPs)</title>
<option name="count">20</option>
<option name="rowNumbers">true</option>
</table>
</panel>
</row>
</form>
You can’t perform that action at this time.