Creating a dashboard with quick info for all the agents

[Todor Dimitrov]

Hello professionals, 

Hypothetically, lets say i have configured 2 agents to collect the same info like hardware resource usage, free space, etc. Is it possible to create a common dashboard with info from all the agents aggregated into a single Pie graph - lets say one Pie graph for available space with info from all agents, a separate Pie with RAM usage and so on? Is it possible to accomplish this through Wazuh 4.9 alone without any extra integrations? Thank you for your time.

Regards, 

Todor

[Javier Medeot]

Hello Todor.

Yes, it's possible, you would create a custom dashboard for this and configure pie charts in it that are common for all the agents. The Wazuh indexer aggregates information already from different agents into indices such as the wazuh-alerts-* indices. Your charts in the Wazuh dashboard would then display the resource usage and free space information aggregated from all the agents ina specific way such as the sum of the values.

For implementing this, you'll be using the following features of Wazuh 4.9 alone without requiring any integrations. You would only need to add specific configurations to achieve the customization.

• Command monitoring to collect data such as resource usage on Linux, Windows, and macOS or for example disk space usage.
• Custom dashboards where you'll create the specific visualizations you need.
  • Pie charts to visualize the sum of resource usage values from different agents by displaying it divided into a sector for each agent.
    

Let me know if this is what you needed to know and what else you need about this. Thank you.

Javier

[Todor Dimitrov]

Hello Javier, 

Would you be able to help me get a Pie chart to work for 2 agents that i have the Windows Resource counters configured for? I just can't figure out how to set it up so i can see the CPU utilization of both machines on one Pie chart. I have another question as well: Is it possible to have a line chart of both machines at the same time and have the Date Histogram option so i can see the progressive CPU utilization of both machines on one line chart?  And last question: Can you help me create a Pie chart that has all the Windows Counters at once for a single agent? I apologize for all the questions but these are just multiple options to accomplish what i need to visualize. Would you be able to help me with any of these?   I will attach some screenshots for reference of how i tried to do the custom visualization. Thank you for your time.

Regards, 

Todor

[Javier Medeot]

Hi Todor.

For a single Pie chart displaying values of different agents together you need to use the Terms aggregation in a Split slice  Buckets. Choose agent.name as the Field for grouping your data by agent name. In Metrics, choose data.winCounter.CookedValue for the Field and use Top Hit for the aggregation. Sort by timestamp descending so the metric uses the most recent value. Add  filter for rule.id corresponding to the metric you want to aggregate, for example 302000 for available memory or 302003 for free disk space. This should allow you to visualize most recent usage value of both agents in a single pie chart. However, a pie chart for aggregating CPU utilization of both agents doesn't seem useful since the metric is a percentage. Tell me if I'm missing something here about what you need.

For a line chart you can use a second Buckets with Split series using a Terms aggregation and choosing agent.name again.

And I'm not sure I understand about a pie chart with all Windows counters at once for a single agent. Again, it doesn't seem useful to aggregate percentages with megabytes and so.

Let me know if this is helpful and what additional information you can share. maybe you can explain further your monitoring needs and we can see a way to assist. Thank you.

[Todor Dimitrov]

Hi Javier, 

Thank you very much for the information. The reason i needed it is because my boss wanted to be able to see all the parameters in an aggregated form and not a line chart for quick reference but i understand what you mean and i will be sure to tell him that it's not a good practice to mix different values so we can just leave the CPU out for now. What I've already done is create a separate dashboard with line charts for all the counters and i just filter the agent.name and it just shows me all the info for that one agent. Basically that is what i want to be able to do with the Pie graph - i would like to have all the counters present in the pie chart and when i filter the agent.name to see info only for that one agent. I'm sorry if i confused you by the way i explained it. I will attach some screenshots so you know what i mean. I understood the instructions about the Pie chart but is it possible to do it the other way around so when i filter the agent.name i get the counters for that single agent and nothing else? I will use the first variant as well in the future because it is a useful way to find out critical info about all the agents we have in one chart.  

Regards, 

Todor

[Javier Medeot]

Ok, I see, Todor.

Maybe swapping agent.name and rule.id in the instructions I shared earlier then. Rather than filtering by rule.id you would be filtering by agent.name. And rather than using the agent.name as the Terms field, you would be using the rule.id or the rule.description. With this configuration, once you filtered for a specific agent you would be visualizing a pie chart with a slice for each rule. You'll need to add some further filtering like rule.group to display only the MEMUsage group of alerts and the others.

I any case, a pie chart might not be the best choice here perhaps. What about a vertical bar chart with the different counters on the x-axis and their values on the y-axis, filtered by agent.name? You would still need to separate charts according to the counter units but vertical bars could prove easier to interpret than a round pie. Check the steps for creating a vertical bar graph in the documentation for guidelines on building his kind of chart.

• https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/creating-custom-dashboards.html#creating-a-bar-chart

Let me know if this approach could work here.

Thank you.

[Todor Dimitrov]

Hi Javier, 

Thank you again for the useful information. I tried to create the Vertical Bar for the purpose that i need and i think it worked because it shows roughly the same values that show the line graphs for the same counters. I also made a horizontal graph and i think it looks a bit better because of the way that the descriptive text is positioned. I will attach some screenshots of both the charts. Please let me know if you see any mistakes or something i could improve on. Thank you again for your time and have a good day. 

Regards, 

Todor

[Javier Medeot]

Hi Todor. Those graphs look fine!

Depending on your needs, you could use the Average aggregation instead of the Top hit so your graph rather than showing the last measurement would display the average over a period of time, such as the last minute, which you would be setting in your filters.

And I think you should separate metrics using MB units from metrics using Bytes/sec into two different charts. I'm not aware of a way for using dual-axis graphs here. Using two charts in the same custom dashboard would be a better way to display the data and allow comparisons.

Let me know if you need anything else about this. Thank you.

[Todor Dimitrov]

Hi Javier, 

I will take into consideration your suggestion about the Average aggregation but for now my boss wanted to be able to see the latest info. Thank you very much for all the useful information and help! Hope you have a great rest of the week!

Regards, 

Todor