Skip to content

Settings

OpenSecDash settings are available from the Settings page. Plugin-specific settings are shown only when the corresponding plugin is enabled.

General settings

SettingWhat it does
Primary DomainShown as the identity of this OpenSecDash instance. Useful when screenshots/debug reports need to identify which homelab instance they came from or simply as branding.
LanguageUI language. Technical event identifiers such as access.denied stay unchanged.
Retention daysHow long raw events should be kept in local database, depending on cleanup/retention behavior.
Default Events modeStarts the Events- and Access page in Live or Snapshot mode. Live keeps updating; Snapshot freezes the current view for investigation.
ThemeDark, light, or automatic browser/system theme.
TimezoneDisplay timestamps in auto, UTC, or an IANA timezone such as Europe/Berlin.

Actions

SettingWhat it does
Action simulationDry-run mode records actions without executing them. This is the safer default.
Execute via pluginAllows configured action plugins to execute real actions. Disable dry-run only when plugins and permissions are trusted.

When dry-run is enabled, action buttons may still be visible so you can test workflows without changing external systems.

Logging

SettingWhat it does
Write log fileEnables an additional app log file. In Docker installs this should usually stay disabled.
Log file pathPath for the optional file log, for example logs/opensecdash.log or /var/log/opensecdash/opensecdash.log.
Log levelDEBUG, INFO, WARNING, ERROR, or CRITICAL. Use DEBUG only temporarily because logs grow faster.

Service/journal logging remains available even when file logging is disabled. Docker installs should normally use stdout/stderr and Docker log rotation.

Events and Access columns

Events and Access tables support configurable visible columns. Use the column selector (cog-symbol) on each page to choose what is shown. The setting is saved separately for Events and Access.

Available columns:

ColumnDescription
TimeEvent timestamp in the configured display timezone.
TypeEvent type, for example access.allowed or security.ban.
SeverityEvent severity.
IPSource/client IP, linked to the IP Explorer.
CountryGeoIP country code/name when available.
CityGeoIP city when available.
HTTP statusHTTP status code with expandable label.
PathRequest path. Long values are truncated and can be opened in an overlay.
URLReconstructed URL when host/path data is available.
HostRequest host or matched asset host.
MethodHTTP method.
User agentUser agent string. Long values can be opened in an overlay.
RouterRouter name from supported reverse proxy logs.
ServiceService/backend name from supported reverse proxy logs.
ASNGeoIP ASN, for example AS15169.
ISPGeoIP ISP/organization. Long values can be opened in an overlay.

Default Events columns:

text
time, type, severity, ip, country, status, url

Default Access columns:

text
time, ip, host, method, status, path

The Events and Access pages have a text search field for quick investigations. The search checks common event fields such as event type, plugin/source, severity, IP, country, city, ASN, ISP, hostname, method, status code, path, timestamps, plugin JSON payload, and raw event data.

Simple search:

text
wp-login

This finds events containing wp-login in any searchable field.

Use && for AND:

text
wp-login && 404

This finds events that contain both wp-login and 404.

Use || for OR:

text
404 || 403

This finds events containing either 404 or 403.

Use parentheses to group expressions:

text
wp-login && (404 || 403)

This finds events containing wp-login and either 404 or 403.

Use quotes when a search term contains spaces:

text
"Mozilla/5.0"

Notes:

  • && has higher precedence than ||.
  • Parentheses can be used to make the intended logic explicit.
  • A plain search without &&, ||, or parentheses is treated as one substring search.
  • The special value - can be used for country searches to find events without a country value.

Asset Explorer filters

The Asset Explorer has several user-facing controls:

ControlWhat it does
SearchSearches visible/understandable system and app fields such as hostname, VMID, system type, app name, host URL, versions, release URL, active/inactive, and update state. Internal source IDs are not searched.
SourceFilters by asset source, for example JSON Assets or Proxmox Assets.
Show inactiveIncludes inactive systems/apps that were previously imported but no longer seen by their source.
Updates onlyShows only systems that currently have apps with available updates.
Proxmox syncManually synchronizes Proxmox Assets when that plugin is enabled.
JSON syncManually synchronizes JSON Assets when that plugin is enabled.
Check updatesChecks GitHub release URLs for assets. During one run, the same repository is queried only once.
Publish MQTT nowPublishes currently publishable app update states when MQTT is enabled.

Systems can be marked stale when they have not been seen recently. Proxmox Assets use a shorter threshold than JSON/manual sources because Proxmox syncs more frequently.

Plugin-specific settings

Plugin-specific settings are documented on the individual plugin pages.

Released under the GNU Affero General Public License v3.0.