Add Activity Dashboard and various benchmarks and detections

README.md

@@ -1,10 +1,14 @@
 # Apache Access Log Detections Mod for Powerpipe
 
-View dashboards, run detections and scan for anomalies across your Apache access logs.
+[Tailpipe](https://tailpipe.io) is an open-source CLI tool that allows you to collect logs and query them with SQL.
 
-<!-- 
-TODO: Insert images
--->
+The [Apache Access Log Detections Mod](https://hub.powerpipe.io/mods/turbot/tailpipe-mod-apache-access-log-detections) contains pre-built dashboards and detections, which can be used to monitor and analyze activity across your Apache servers.
+
+Run detection benchmarks:
+![image](docs/images/apache_access_log_owasp_dashboard.png)
+
+View insights in dashboards:
+![image](docs/images/apache_access_log_activity_dashboard.png)
 
 ## Documentation
 
@@ -102,13 +106,12 @@ List available benchmarks:
 powerpipe benchmark list
 ```
 
-<!-- TODO: add a benchmark name and uncomment
 Run a benchmark:
 
 ```sh
-powerpipe benchmark run apache_access_log_detections.benchmark.
+powerpipe benchmark run apache_access_log_detections.benchmark.owasp_top_10
 ```
--->
+
 Different output formats are also available, for more information please see
 [Output Formats](https://powerpipe.io/docs/reference/cli/benchmark#output-formats).
 
@@ -126,4 +129,4 @@ Want to help but don't know where to start? Pick up one of the `help wanted` iss
 
 - [Powerpipe](https://github.com/turbot/powerpipe/labels/help%20wanted)
 - [Tailpipe](https://github.com/turbot/tailpipe/labels/help%20wanted)
-- [Apache Access Log Detections Mod](https://github.com/turbot/tailpipe-mod-apache-access-log-detections/labels/help%20wanted)
+- [Apache Access Log Detections Mod](https://github.com/turbot/tailpipe-mod-apache-access-log-detections/labels/help%20wanted)

dashboards/activity_dashboard.pp

@@ -0,0 +1,339 @@
+dashboard "activity_dashboard" {
+  title         = "Access Log Activity Dashboard"
+  documentation = file("./dashboards/docs/activity_dashboard.md")
+
+  tags = {
+    type    = "Dashboard"
+    service = "Apache/AccessLog"
+  }
+
+  container {
+    # Analysis
+    card {
+      query = query.activity_dashboard_total_logs
+      width = 2
+    }
+
+    card {
+      query = query.activity_dashboard_success_count
+      width = 2
+      type  = "ok"
+    }
+
+    card {
+      query = query.activity_dashboard_redirect_count
+      width = 2
+      type  = "info"
+    }
+
+    card {
+      query = query.activity_dashboard_bad_request_count
+      width = 2
+      type  = "alert"
+    }
+
+    card {
+      query = query.activity_dashboard_error_count
+      width = 2
+      type  = "alert"
+    }
+  }
+
+  container {
+
+    chart {
+      title = "Requests by Day"
+      query = query.activity_dashboard_requests_by_day
+      width = 6
+      type  = "line"
+    }
+
+    chart {
+      title = "Requests by HTTP Method"
+      query = query.activity_dashboard_requests_by_http_method
+      width = 6
+      type  = "bar"
+    }
+
+    chart {
+      title = "Requests by Status Code"
+      query = query.activity_dashboard_requests_by_status_code
+      width = 6
+      type  = "pie"
+    }
+
+    chart {
+      title = "Top 10 User Agents (Requests)"
+      query = query.activity_dashboard_requests_by_user_agent
+      width = 6
+      type  = "pie"
+    }
+
+    chart {
+      title = "Top 10 Clients (Requests)"
+      query = query.activity_dashboard_top_10_clients
+      width = 6
+      type  = "table"
+    }
+
+    chart {
+      title = "Top 10 URLs (Requests)"
+      query = query.activity_dashboard_top_10_urls
+      width = 6
+      type  = "table"
+    }
+
+    chart {
+      title = "Top 10 URLs (Successful Requests)"
+      query = query.activity_dashboard_requests_by_successful_requests
+      width = 6
+      type  = "table"
+    }
+
+    chart {
+      title = "Top 10 URLs (Errors)"
+      query = query.activity_dashboard_requests_by_errors
+      width = 6
+      type  = "table"
+    }
+  }
+
+}
+
+# Queries
+query "activity_dashboard_total_logs" {
+  title       = "Log Count"
+  description = "Count the total Apache log entries."
+
+  sql = <<-EOQ
+    select
+      count(*) as "Total Requests"
+    from
+      apache_access_log;
+  EOQ
+}
+
+query "activity_dashboard_success_count" {
+  title       = "Successful Request Count"
+  description = "Count of successful HTTP requests (status 2xx)."
+
+  sql = <<-EOQ
+    select
+      count(*) as "Successful (2xx)"
+    from
+      apache_access_log
+    where
+      status between 200 and 299;
+  EOQ
+}
+
+query "activity_dashboard_redirect_count" {
+  title       = "Redirect Request Count"
+  description = "Count of redirect HTTP requests (status 3xx)."
+
+  sql = <<-EOQ
+    select
+      count(*) as "Redirections (3xx)"
+    from
+      apache_access_log
+    where
+      status between 300 and 399;
+  EOQ
+}
+
+query "activity_dashboard_bad_request_count" {
+  title       = "Bad Request Count"
+  description = "Count of client error HTTP requests (status 4xx)."
+
+  sql = <<-EOQ
+    select
+      count(*) as "Bad Requests (4xx)"
+    from
+      apache_access_log
+    where
+      status between 400 and 499;
+  EOQ
+}
+
+query "activity_dashboard_error_count" {
+  title       = "Server Error Count"
+  description = "Count of server error HTTP requests (status 5xx)."
+
+  sql = <<-EOQ
+    select
+      count(*) as "Server Errors (5xx)"
+    from
+      apache_access_log
+    where
+      status between 500 and 599;
+  EOQ
+}
+
+query "activity_dashboard_top_10_clients" {
+  title       = "Top 10 Clients (Requests)"
+  description = "List the top 10 client IPs by request count."
+
+  sql = <<-EOQ
+    select
+      remote_addr as "Client IP",
+      count(*) as "Request Count"
+    from
+      apache_access_log
+    group by
+      remote_addr
+    order by
+      count(*) desc,
+      remote_addr
+    limit 10;
+  EOQ
+}
+
+query "activity_dashboard_top_10_urls" {
+  title       = "Top 10 URLs (Requests)"
+  description = "List the top 10 requested URLs by request count."
+
+  sql = <<-EOQ
+    select
+      request_uri as "URL",
+      count(*) as "Request Count"
+    from
+      apache_access_log
+    where
+      request_uri is not null
+    group by
+      request_uri
+    order by
+      count(*) desc,
+      request_uri
+    limit 10;
+  EOQ
+}
+
+query "activity_dashboard_requests_by_day" {
+  title       = "Requests by Day"
+  description = "Count of requests grouped by day."
+
+  sql = <<-EOQ
+    select
+      strftime(tp_timestamp, '%Y-%m-%d') as "Date",
+      count(*) as "Request Count"
+    from
+      apache_access_log
+    group by
+      strftime(tp_timestamp, '%Y-%m-%d')
+    order by
+      strftime(tp_timestamp, '%Y-%m-%d');
+  EOQ
+}
+
+query "activity_dashboard_requests_by_status_code" {
+  title       = "Requests by Status Code"
+  description = "Count of rqeuests grouped by status code."
+
+  sql = <<-EOQ
+    select
+      case
+        when status between 200 and 299 then '2xx Success'
+        when status between 300 and 399 then '3xx Redirect'
+        when status between 400 and 499 then '4xx Client Error'
+        when status between 500 and 599 then '5xx Server Error'
+        else 'Other'
+      end as "Status Category",
+      count(*) as "Request Count"
+    from
+      apache_access_log
+    where
+      status is not null
+    group by
+      "Status Category"
+    order by
+      "Status Category";
+  EOQ
+}
+
+query "activity_dashboard_requests_by_http_method" {
+  title       = "Requests by HTTP Method"
+  description = "Distribution of HTTP methods used in requests."
+
+  sql = <<-EOQ
+    select
+      request_method as "HTTP Method",
+      count(*) as "Request Count"
+    from
+      apache_access_log
+    where
+      request_method is not null
+    group by
+      request_method
+    order by
+      count(*) asc,
+      request_method;
+  EOQ
+}
+
+query "activity_dashboard_requests_by_successful_requests" {
+  title       = "Top 10 URLs (Successful Requests)"
+  description = "List the top 10 requested URLs by successful request count."
+
+  sql = <<-EOQ
+    select
+      request_uri as "Path",
+      count(*) as "Request Count",
+      string_agg(distinct status::text, ', ' order by status::text) as "Status Codes"
+    from
+      apache_access_log
+    where
+      status between 200 and 299
+      and request_uri is not null
+    group by
+      request_uri
+    order by
+      count(*) desc,
+      request_uri
+    limit 10;
+  EOQ
+}
+
+query "activity_dashboard_requests_by_errors" {
+  title       = "Top 10 URLs (Errors)"
+  description = "List the top 10 requested URLs by error count."
+
+  sql = <<-EOQ
+    select
+      request_uri as "Path",
+      count(*) as "Error Count",
+      string_agg(distinct status::text, ', ' order by status::text) as "Status Codes"
+    from
+      apache_access_log
+    where
+      status between 400 and 599
+      and request_uri is not null
+    group by
+      request_uri
+    order by
+      count(*) desc,
+      request_uri
+    limit 10;
+  EOQ
+}
+
+query "activity_dashboard_requests_by_user_agent" {
+  title       = "Top 10 User Agents (Requests)"
+  description = "Distribution of user agents in requests."
+
+  sql = <<-EOQ
+    select
+      http_user_agent as "User Agent",
+      count(*) as "Request Count"
+    from
+      apache_access_log
+    where
+      http_user_agent is not null
+    group by
+      http_user_agent
+    order by
+      count(*) desc,
+      http_user_agent
+    limit 10;
+  EOQ
+}

dashboards/docs/activity_dashboard.md

@@ -0,0 +1,11 @@
+This dashboard answers the following questions:
+
+- How many HTTP requests has the Apache server handled?
+- What is the distribution of HTTP status codes (success, redirect, client errors, server errors)?
+- What HTTP methods are being used most frequently?
+- How has request volume changed over time?
+- Which browsers and tools are accessing the server?
+- Which client IPs are generating the most traffic?
+- Which URIs are most frequently requested?
+- Which paths have the most successful requests?
+- Which paths are generating the most errors?