{"id":27976517,"url":"https://github.com/misp/misp-grafana","last_synced_at":"2026-02-26T09:39:27.963Z","repository":{"id":63203421,"uuid":"475058501","full_name":"MISP/misp-grafana","owner":"MISP","description":"A real-time Grafana dashboard using MISP ZeroMQ message queue and InfluxDB","archived":false,"fork":false,"pushed_at":"2024-03-15T10:14:25.000Z","size":699,"stargazers_count":15,"open_issues_count":2,"forks_count":5,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-03-26T04:54:07.931Z","etag":null,"topics":["cybersecurity","dashboard","grafana","grafana-dashboard","influxdb","metrics","misp","threat-intelligence"],"latest_commit_sha":null,"homepage":"https://misp.github.io/misp-grafana/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MISP.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-03-28T15:15:27.000Z","updated_at":"2024-02-23T10:30:32.000Z","dependencies_parsed_at":"2022-11-14T21:05:21.044Z","dependency_job_id":null,"html_url":"https://github.com/MISP/misp-grafana","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MISP%2Fmisp-grafana","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MISP%2Fmisp-grafana/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MISP%2Fmisp-grafana/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MISP%2Fmisp-grafana/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MISP","download_url":"https://codeload.github.com/MISP/misp-grafana/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252980684,"owners_count":21835288,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","dashboard","grafana","grafana-dashboard","influxdb","metrics","misp","threat-intelligence"],"created_at":"2025-05-08T01:27:34.892Z","updated_at":"2026-02-26T09:39:22.921Z","avatar_url":"https://github.com/MISP.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# misp-grafana\n\nA real-time Grafana dashboard using MISP ZeroMQ message queue and InfluxDB .\n\n![Grafana Dashboard](./img/grafana.png)\n\n## Infrastructure\n- **InfluxDB 2.x**: Time series database for storing MISP metrics \n    - URL: http://localhost:8086\n    - default user: admin\n    - default password: passwordpasswordpassword\n- **Grafana**: For the UI and dashboards\n    - URL: http://localhost:3000\n    - default user: admin\n    - default password: passwordpasswordpassword\n- **[push_zmq_to_influxdb.py](./src/push_zmq_to_influxdb.py)**: Subscribes to the MISP ZMQ stream and pushes data to InfluxDB\n- **Telegraf**: Agent installed in the MISP instance for pushing logs to InfluxDB\n\n## Installation\n\n### Using containers\nUsing docker is the easiest way to do it and comes pre-configured with the dashboard and InfluxDB datasource.\n\n```\n$ cd docker\n$ docker-compose up -d\n```\n\n\u003e **NOTE**: For production usage change the default credentials.\n\n### Pushing MISP metrics\nAfter InfluxDB and Grafana are up and running, adjust [.env](./src/.env) file to your environment, and run the ZMQ subscriber script:\n\n```\n$ cd src/\n$ pip install -r requirements.txt\n$ python3 src/push_zmq_to_influxdb.py\n[INFO] [2022-03-31 17:32:51,602] - Subscribed to ZMQ\n[INFO] [2022-03-31 17:32:56,945] - Received message from topic: misp_json_self\n[INFO] [2022-03-31 17:32:56,945] - ZMQ status pushed to InfluxDB\n...\n``` \n\n\u003e **NOTE:** This script must be running all times to feed InfluxDB with your MISP activity.\n\n### Pushing MISP logs\n[Telegraf](https://www.influxdata.com/time-series-platform/telegraf/) agent is used to parse MISP logs and push them to InfluxDB, to install it follow this guide:\n* https://docs.influxdata.com/telegraf/v1.21/introduction/installation/\n\nRun the agent:\n```\n$ telegraf --config telegraf/telegraf.conf\n```\n\n\u003e **NOTE:** For the HTTP response time panels you need to extend the default Apache combined log format with the _`%D`_ option, your Apache log configuration as follow:\n\u003e \n\u003e `LogFormat \"%h %l %u %t \\\"%r\\\" %\u003es %O \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\" %D\" combined`\n\u003e * More info: https://httpd.apache.org/docs/current/mod/mod_log_config.html\n\n### MISP\nGo to your [ZeroMQ](https://zeromq.org/) plugin settings in MISP and set the following values:\n```\n  'ZeroMQ_enable' =\u003e true,\n  'ZeroMQ_host' =\u003e '127.0.0.1',\n  'ZeroMQ_port' =\u003e 50000,\n  'ZeroMQ_redis_host' =\u003e 'localhost',\n  'ZeroMQ_redis_port' =\u003e 6379,\n  'ZeroMQ_redis_database' =\u003e '1',\n  'ZeroMQ_redis_namespace' =\u003e 'mispq',\n  'ZeroMQ_event_notifications_enable' =\u003e true,\n  'ZeroMQ_object_notifications_enable' =\u003e true,\n  'ZeroMQ_object_reference_notifications_enable' =\u003e true,\n  'ZeroMQ_attribute_notifications_enable' =\u003e true,\n  'ZeroMQ_sighting_notifications_enable' =\u003e true,\n  'ZeroMQ_user_notifications_enable' =\u003e true,\n  'ZeroMQ_organisation_notifications_enable' =\u003e true,\n  'ZeroMQ_tag_notifications_enable' =\u003e true,\n```\n\n### Monitoring multiple MISP instances\nThe included sample Grafana dashboard supports showing metrics from different MISP instances, for this its required that the data points coming from each instance have an associated `instance` tag. \n\n![](./img/grafana-misp-multi-instance.png)\n\n#### Telegraf\nEach instance should have running it's own Telegraf agent, for each instance set an unique identifier _global_tags_ `telegraf.conf` as follows:\n\n**Internal MISP instance**\n```\n[global_tags]\n  instance = \"internal\"\n```\n\n**External MISP instance**\n```\n[global_tags]\n  instance = \"external\"\n```\n\n#### ZeroMQ\nFor each MISP instance there must be one _`push_zmq_to_influxdb.py`_ script running, each connected to the corresponding ZeroMQ publisher.\n\n\n**Internal MISP instance**\n```\n$ python3 src/push_zmq_to_influxdb.py -id=internal --url=tcp://misp.internal:50000\n[INFO] [2022-04-04 14:18:24,638] - Subscribed to ZMQ\n...\n```\n\n**External MISP instance**\n```\n$ python3 src/push_zmq_to_influxdb.py -id=external --url=tcp://misp.external:50000\n[INFO] [2022-04-04 14:18:24,638] - Subscribed to ZMQ\n...\n```\n\n### InfluxDB v1 compatibility\nIf you want to add a panel using a [InfluxQL](https://docs.influxdata.com/influxdb/v1.8/query_language/) query language instead of [Flux](https://docs.influxdata.com/influxdb/cloud/query-data/get-started/), you can do so by creating a _database and retention policy mapping_ ([DBRP](https://docs.influxdata.com/influxdb/cloud/reference/cli/influx/v1/dbrp/)) for InfluxDB v1 compatibility.\n\n```\ncd docker/\n$ docker-compose exec influxdb bash\n$ influx bucket list --name=misp\nID\t\t\tName\tRetention\tShard group duration\tOrganization ID\t\tSchema Type\n2123809cf4de9c68\tmisp\tinfinite\t168h0m0s\t\tb28ccb862d147bdd\timplicit\n$ influx v1 dbrp create \\\n  --db misp \\\n  --rp misp-rp \\\n  --bucket-id 2123809cf4de9c68 \\\n  -o org \\\n  -t tokentokentoken\nID\t\t\tDatabase\tBucket ID\t\tRetention Policy\tDefault\tOrganization ID\n0924213ebf9ba000\tmisp\t\t2123809cf4de9c68\tmisp-rp\t\t\ttrue\tb28ccb862d147bdd\n\n$ influx v1 auth create \\\n\t--read-bucket 2123809cf4de9c68 \\\n\t--write-bucket 2123809cf4de9c68 \\\n\t--username grafana \\\n  \t-o org \\\n  \t-t tokentokentoken\n? Please type your password ******** (grafana1)\n? Please type your password again ******** (grafana1)\nID\t\t\tDescription\tUsername\tv2 User Name\tv2 User ID\t\tPermissions\n092421c139dba000\t\t\tgrafana\t\tadmin\t\t0923ff89a4587000\t[read:orgs/b28ccb862d147bdd/buckets/2123809cf4de9c68 write:orgs/b28ccb862d147bdd/buckets/2123809cf4de9c68]\n```\n\nCreate a new datasource in Grafana with the following parameters:\n* Query Language: `InfluxQL`\n* Custom HTTP Authorization: `Authorization:` `Token tokentokentoken` \n* Database: `misp`\n* User: `grafana`\n* Password: `grafana1`\n\n\u003e **NOTE:** For production usage change the sample credentials.\n\n\n\u003e **Guide:** https://docs.influxdata.com/influxdb/v2.0/tools/grafana/?t=InfluxQL\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmisp%2Fmisp-grafana","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmisp%2Fmisp-grafana","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmisp%2Fmisp-grafana/lists"}