From c4a273304d8f5ce840126635143eadb0ad1bd028 Mon Sep 17 00:00:00 2001 From: Bronson Peto Date: Fri, 17 Apr 2026 13:15:35 -0600 Subject: [PATCH] Fixing dashboard query to use config macro. --- auditd/searchlibrary/4876ee88-eaa0-4c33-977f-c7479c8a7803.query | 2 +- auditd/searchlibrary/4d9605f1-6905-4cf7-94a1-0b24263a3bf1.query | 2 +- auditd/searchlibrary/54141e12-34a6-4251-9436-ea3562af0ace.query | 2 +- auditd/searchlibrary/680f6de5-ed97-4d02-a798-b9bfacb8091f.query | 2 +- auditd/searchlibrary/793cb4f9-733f-4390-aed3-bc18a4806c1a.query | 2 +- auditd/searchlibrary/dec0dbd0-65dd-4aa5-a643-6390a58a0719.query | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/auditd/searchlibrary/4876ee88-eaa0-4c33-977f-c7479c8a7803.query b/auditd/searchlibrary/4876ee88-eaa0-4c33-977f-c7479c8a7803.query index af160bc..b7c5bce 100644 --- a/auditd/searchlibrary/4876ee88-eaa0-4c33-977f-c7479c8a7803.query +++ b/auditd/searchlibrary/4876ee88-eaa0-4c33-977f-c7479c8a7803.query @@ -1 +1 @@ -tag=auditd kv -q type as auditType AUID | count auditType by AUID | chart count by AUID \ No newline at end of file +tag=$AUDITD kv -q type as auditType AUID | count auditType by AUID | chart count by AUID \ No newline at end of file diff --git a/auditd/searchlibrary/4d9605f1-6905-4cf7-94a1-0b24263a3bf1.query b/auditd/searchlibrary/4d9605f1-6905-4cf7-94a1-0b24263a3bf1.query index eebb54d..c7edeea 100644 --- a/auditd/searchlibrary/4d9605f1-6905-4cf7-94a1-0b24263a3bf1.query +++ b/auditd/searchlibrary/4d9605f1-6905-4cf7-94a1-0b24263a3bf1.query @@ -1 +1 @@ -tag=auditd kv -q type as auditType AUID | count auditType by AUID | table AUID count \ No newline at end of file +tag=$AUDITD kv -q type as auditType AUID | count auditType by AUID | table AUID count \ No newline at end of file diff --git a/auditd/searchlibrary/54141e12-34a6-4251-9436-ea3562af0ace.query b/auditd/searchlibrary/54141e12-34a6-4251-9436-ea3562af0ace.query index 5f29032..5c5b3b1 100644 --- a/auditd/searchlibrary/54141e12-34a6-4251-9436-ea3562af0ace.query +++ b/auditd/searchlibrary/54141e12-34a6-4251-9436-ea3562af0ace.query @@ -1 +1 @@ -tag=auditd kv -q -s type as auditType AUID EUID ses | eval (AUID != EUID) && (AUID != "unset") | stats unique_count(ses) as sessions by AUID EUID | eval transition = printf("(User: %s) → (User: %s)", AUID, EUID) | count by transition | numbercard (count "") \ No newline at end of file +tag=$AUDITD kv -q -s type as auditType AUID EUID ses | eval (AUID != EUID) && (AUID != "unset") | stats unique_count(ses) as sessions by AUID EUID | eval transition = printf("(User: %s) → (User: %s)", AUID, EUID) | count by transition | numbercard (count "") \ No newline at end of file diff --git a/auditd/searchlibrary/680f6de5-ed97-4d02-a798-b9bfacb8091f.query b/auditd/searchlibrary/680f6de5-ed97-4d02-a798-b9bfacb8091f.query index dc59c3d..434f38d 100644 --- a/auditd/searchlibrary/680f6de5-ed97-4d02-a798-b9bfacb8091f.query +++ b/auditd/searchlibrary/680f6de5-ed97-4d02-a798-b9bfacb8091f.query @@ -1 +1 @@ -tag=auditd kv -q -s type == "SYSCALL" as auditType success == "no" exe | stats count by exe | sort by count desc | table exe count \ No newline at end of file +tag=$AUDITD kv -q -s type == "SYSCALL" as auditType success == "no" exe | stats count by exe | sort by count desc | table exe count \ No newline at end of file diff --git a/auditd/searchlibrary/793cb4f9-733f-4390-aed3-bc18a4806c1a.query b/auditd/searchlibrary/793cb4f9-733f-4390-aed3-bc18a4806c1a.query index 9e650f3..b09f9b2 100644 --- a/auditd/searchlibrary/793cb4f9-733f-4390-aed3-bc18a4806c1a.query +++ b/auditd/searchlibrary/793cb4f9-733f-4390-aed3-bc18a4806c1a.query @@ -1 +1 @@ -tag=auditd kv -q -s type == "SYSCALL" as auditType success == "no" SYSCALL | stats count by SYSCALL | sort by count desc | table SYSCALL count \ No newline at end of file +tag=$AUDITD kv -q -s type == "SYSCALL" as auditType success == "no" SYSCALL | stats count by SYSCALL | sort by count desc | table SYSCALL count \ No newline at end of file diff --git a/auditd/searchlibrary/dec0dbd0-65dd-4aa5-a643-6390a58a0719.query b/auditd/searchlibrary/dec0dbd0-65dd-4aa5-a643-6390a58a0719.query index d071821..4d69f18 100644 --- a/auditd/searchlibrary/dec0dbd0-65dd-4aa5-a643-6390a58a0719.query +++ b/auditd/searchlibrary/dec0dbd0-65dd-4aa5-a643-6390a58a0719.query @@ -1 +1 @@ -tag=auditd kv -q -s type == "SYSCALL" as auditType success == "no" AUID | stats count by AUID | chart count by AUID \ No newline at end of file +tag=$AUDITD kv -q -s type == "SYSCALL" as auditType success == "no" AUID | stats count by AUID | chart count by AUID \ No newline at end of file