parsedmarc icon indicating copy to clipboard operation
parsedmarc copied to clipboard

Published 20 hours ago verified publisher icon domainaware

Keep Opensearch, Kibana, and Graphana dashboards in parity with the Splunk dashboards

Open seanthegeek opened this issue 1 year ago • 2 comments

When I initially built parsedmarc I pushed the parsed DMARC data to Elasticsearch and visualized it with Kibana and visualized it with Kibana both as a proof of concept and as a way to keep the entire solution open source. Later on, Graphana dashboards were added, but those haven't been updated in 2 years.

These days, I'm pushing the results to Splunk and using Splunk dashboards to visualize the results. I've made some improvements to the Splunk dashboards recently, but I don't have an ELK or OpenSearch instance to maintain the other dashboard solutions.

The changes I've made include:

  • Removing the dkim_aligned filed from the DKIM alignment details dashboard widget, because dkim_aligned refers to the email as a whole, not that particular row, which can lead to some confusion
  • Renamed the SPF alignment details widget to SPF details
  • Renamed the DKIM alignment details widget to DKIM details
  • Added Message sources by name and type widget, which counts messages by the newly added source_name and source_type fields
  • Added the authentication_results field to the Forensic Samples dashboard widget

I'd like to keep all of the dashboards up to parity, but I'm not sure what's the best way to do that. My understanding is that OpenSearch is a fork of ELK before undesirable licensing changes were made. Newer versions of ELK won't allow forked clients to connect. I'm wondering:

  • Because the current parsedmarc dashboards for Kibana were made long before the fork, can they still be used by both OpenSearch Dashboards and modern releases of Kibana?
  • Can updated dashboards built for OpenSearch Dashboards be used by modern releases of Kibana, or will separate dashboards need to be maintained for OpenSearch and Kibana going forward?

Also, after all this time, I just noticed that the source_Base_domain field in the elastic and opensearch modules for parsedmarc should have been named source_base_domain to match every other field, which is all lowercase. I'm guessing changing that now would break backwards compatibility, right?

https://github.com/domainaware/parsedmarc/blob/master/parsedmarc/elastic.py#L63C32-L64C5

https://github.com/domainaware/parsedmarc/blob/master/parsedmarc/opensearch.py#L62

@Szasza I'm hoping you can answer some of these questions since you contributed the opensearch module.

seanthegeek avatar Mar 31 '24 15:03 seanthegeek

Hi @seanthegeek ,

I use Grafana together with OpenSearch.

  • With regards to the fork between ES and OS, right now the differences are not major. The query language, the API for search/ingestion/management, and the connection protocols are the same. The differences, if any, are usually around ES' paid features, which are not of concern for parsedmarc at the moment.

  • The bigger issue however is that Kibana and OpenSearch Dashboard are heading in the direction of being two entirely different tools. Although both support the Lucene Query Language, both Kibana and OpenSearch Dashboard have their own additional query languages by now. Also although the migration from one to another seems to be easy on the surface, the devil is in the details of the individual panels. Not to mention the differences between the individual Kibana versions.

  • As for updating Grafana, it shouldn't take too long based on the above. An interesting question however is the supported Grafana version(s). In v9 the pie chart and the world map panels (visualisations) have been replaced with a new piechart and geomap panels which require a different config compared to v8. The graph panel has also been upgraded. As some providers, such as AWS allow both v8 and v9 to be used in Amazon Managed Grafana, both versions' maintenance may be needed.

Now to the maintenance of the various dashboards. As there are a variety of visualisation and data store solutions and versions, it may worth putting together some automated tests using the different containers (OS, Grafana, ES, Kibana, Kafka, whatnot). The charts can be verified using headless Firefox and Playwright - taking screenshots and comparing them to golden images.

Last but not least, changing source_Base_domain to source_base_domain won't break OS/ES backward compatibility as they convert everything to lowercase. You can check that by getting an OpenSearch environment up and running, for example from https://github.com/Szasza/dmarc-visualizer-opensearch.

Szasza avatar Apr 01 '24 01:04 Szasza

Thanks for the detailed explanation.

seanthegeek avatar Apr 01 '24 17:04 seanthegeek