Part 6. Best Open Source SIEM Dashboards

Visualize your SIEM logs with Grafana

PART ONE: Backend Storage

PART TWO: Log Ingestion

PART THREE: Log Analysis

PART FOUR: Wazuh Agent Install

PART FIVE: Intelligent SIEM Logging

Walkthrough Video


In PART FIVE we configured Graylog to beautify our ingested Wazuh logs by extracting the JSON keys and their values. Without this step, we are not able to build precise dashboards or widgets that enable us to visualize our data in a manner that allows us to understand it and make quick decisions. Throughout this post, we will learn how to turn our data from:

What Am I Supposed to Do With That?!
Beautified Data

Welcome Grafana

Grafana is the perfect visualization tool when it comes to visualizing our security events. Kibana (Wazuh-Dashboards) can also be used to visualize our data, but over the years I have not been impressed with Kibana’s visualizations, difficulty to customize, lack of unique data sources, and overall speed. In my opinion, Grafana is the best visualization tool for all SIEM stacks.

Visualization Panels

Visualization panels are the building blocks that make up our dashboards. Dashboards are simply a combination of visualization panels pieced together to form a concise and accurate representation of the intent of the dashboard. Grafana’s wide range of visualization panels provides more flexibility and ease of “understanding the big picture” than is offered in Kibana.

The Grafana community is strong and the ability to import prebuilt dashboards built by others in a matter of seconds allows us to start visualizing our data in no time!

Find your perfect dashboard here:

Limitless Customization

Customization is limitless with Grafana’s provided ability for us to write our own HTML and CSS panels. Grafana makes it simple for us to add our own branding and unique feel to our dashboards!

Unique Data Sources

Often times, the data that we want to display within our dashboards does not reside in just one datasource. I could have my SIEM logs being written to Elasticsearch, a MySQL database storing my threat intel, and a CSV file storing CNs and their associated DCs. Rather than trying to funnel that data into Elasticsearch, we can configure multiple data sources within Grafana with ease!

I Want to go Fast

In the Security World, we do not have time to wait. Our visualizations and searches must load in a matter of seconds, no matter their complexity. Grafana’s speed to present the data back to us is unmatched. Although Grafana and Kibana are both simply making API queries to Elasticsearch to load the data, I have found that Grafana’s response time blows Kibana out of the water!


Let’s now install Grafana. This guide details installing the OSS version of Grafana on a Debian 11 machine.

sudo apt-get install -y apt-transport-https
sudo apt-get install -y software-properties-common wget
sudo wget -q -O /usr/share/keyrings/grafana.key

Add the repository:

echo "deb [signed-by=/usr/share/keyrings/grafana.key] stable main" | sudo tee -a /etc/apt/sources.list.d/grafana.list
sudo apt-get update
sudo apt-get install grafana

Open the /etc/grafana/grafana.ini file to apply configuration settings to your Grafana instance. Here we can configure our authentication mechanism, HTTPS certificates, and much more!

Adding Certificates

#################################### Server ####################################
# Protocol (http, https, h2, socket)
protocol = https

# The ip address to bind to, empty will bind to all interfaces
;http_addr =

# The http port to use
;http_port = 3000

# The public facing domain name used to access grafana from a browser
domain =

# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
;enforce_domain = false

# The full public facing url you use in browser, used for redirects and emails
# If you use reverse proxy and sub path specify full url (with sub path)
;root_url = %(protocol)s://%(domain)s:%(http_port)s/
root_url = %(protocol)s://%(domain)s/

# Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.
;serve_from_sub_path = false

# Log web requests
;router_logging = false

# the path relative working path
;static_root_path = public

# enable gzip
;enable_gzip = false

# https certs & key file
cert_file = /etc/ssl/certs/*grafanacert*.pem
cert_key = /etc/ssl/private/*grafanakey*.key

# Unix socket path
;socket =

# CDN Url
;cdn_url =

# Sets the maximum time using a duration format (5s/5m/5ms) before timing out read of an incoming request and closing idle connections.
# `0` means there is no timeout for reading the request.
;read_timeout = 0

#################################### Database ####################################


Let’s now start up Grafana

systemctl start grafana-server

Configuring Our Wazuh Indexer Data Source

With Grafana installed and running, let’s now configure Grafana so that it can read our ingested SIEM logs stored within our Wazuh Indexer.

  1. Select Configuration -> Data Sources

2. Select Elasticsearch — Remember that at the end of the day the Wazuh-Indexer is Elasticsearch 7.10.2

3. Set your Elasticsearch connection settings (see walkthrough video to configure grafana user within our Wazuh Indexer)

Above URL blocks:${__value.raw}


4. Save and Test

5. Select Explore to ensure Grafana is able to load the data

Create Your First Dashboard

Now that we are able to use Grafana to load our data, let’s begin to visualize our data by creating our first dashboard.

For instance, I want to build a dashboard that details all network connections being made from my endpoints. I want to build a dashboard that details the source, destination, and connected to port of every network connection. There are many different panels we could choose from, but I have found that the Sankey Panel is easiest on the eyes.

Sankey Panel

Source / Destination / Port
  1. Add a new dashabord and a new panel

2. Select the Sankey Panel

If not installed, install via the commandline: grafana-cli plugins install netsage-sankey-panel

3. Select the WAZUH data source

4. Build your search query — Our Wazuh Rule group sysmon_event3 pertain to all network connections made via our Windows endpoints. View the walkthrough video to see how we can parse our rule_groups to set the rule_group3 value.


5. Add the data fields we want to use to populate the panel

6. Use the Organize Fields Transform to clean up the field names

7. Set your panel title and Apply

That’s easy enough, but I want more on my dashboard.

Worldmap Panel (Follow Walkthrough video to enable the Geo IP Lookup Table)

Let’s add some geolocation of our destination IPs so we can spot network connections made to any countries of concern (Russia is always a popular choice)

Add GeoLite DB to your Graylog server:

cd /etc/graylog/server
systemctl restart graylog-server

Follow Walkthrough video to enable the Geo IP Lookup Table

  1. Add a Worldmap Panel and select the Wazuh Data Source

2. Build our Search Query and Groupings

3. Set your Panel Title and Apply

Our dashboard is starting to come together!

Network Connections Histogram

Let’s build a panel that details a history of the number of network connections made per endpoint.

  1. Select Graph and the Wazuh Data Source

2. Set the Panel Query and Grouping

3. Set Panel Options

4. Set your Title and Apply

Processes Invoking Network Connections

From a security perspective, it is benefical to know what process is invoking the network connection. For example, I expect Chrome to be making network connections, but other processes such as Powershell may be of concern.

  1. Add a Bar Gauge panel

2. Build the search query

3. Set the panel options

4. Set Panel Title and Apply

Integrate with Talos Intelligence to View IP Reputation

We can build our panels with dynamic data links that allow us to plug the value of the field into a URL that will be populated with our data value. We will use a data link to build a URL that will open a tab to view the IP reputation within Talos Intelligence. This allows us to quickly spot known malicious IPs that our endpoints have connected to.

  1. Add a Table panel

2. Build the search query

3. Add a Data Override${__value.text}

4. Add your Panel Title and Apply

Select a linked IP to view the Threat Intel presented by Talos

Notice that our URL is dynamically built for us!

Rearranging The Visualizations

With our panels now built, we can freely drag and drop our panels to arrange them in a manner that is logical and easy to follow.

Just the Beginning

With Grafana the possibilities are truly endless. We can build dashboards that detail DNS queries, running process, alert summaries, and so much more!

DNS Queries
Running Processes
Alert Summary

Check out the SOCFortress dashboards that come out of the box to see what all is possible!



Throughout this blog post we installed Grafana, connected Grafana to our Wazuh data source, and walked through how we can build panels to populate our Network Connections dashboard. This post only touches the surface of what Grafana has to offer. So what are you waiting for? Enable your SOC team to visualize your ingested SIEM logs with the speed, flexibility, and customization of Grafana! Happy Defending 😄.

Need Help?

The functionality discussed in this post, and so much more, are available via SOCFortress’s Professional Services. Let SOCFortress help you and your team keep your infrastructure secure.


Professional Services:



SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).