ELSA: Enterprise Log Search and Archive!

[Wubi]

Enterprise log searching and archiving always has been a difficult task for open source applications. ELSA plans on changing that. There are a number of free, open-source solutions out there which will provide a means for log collection, searching, and alerting, but they are not designed to scale to collecting all events from a large organization, while still making that data full-text searchable with millisecond response times. Commercial solutions do exist, which cost a LOT. Introducing ELSA!

So, ELSA is inspired by Slunk and provides a centralized syslog framework on Syslog-NG, MySQL, and Sphinx full-text search. To be precise, ELSA is a three-tier log receiver, archiver, indexer, and web frontend for incoming syslog. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web. It also includes tools for assigning permissions for viewing the logs as well as email based alerts, scheduled queries, and graphing. ELSA was born because commercial tools were both lacking, cost prohibitive and perhaps slow to receive the log volume on the hardware available with a tight budget. It is focused on speed versus dashboards and presentation. ELSA is a solution to achieve the following:

• Normalize, store, and index logs at unlimited volumes and rates
  
• Provide a simple and clean search interface and API
  
• Provide an infrastructure for alerting, reporting and sharing logs
  
• Control user actions with local or LDAP/AD-based permissions
  
• Plugin system for taking actions with logs
  
• Exist as a completely free and open-source project
  

ELSA accomplishes these goals by harnessing the highly-specialized strengths of other open-source projects: Perl provides the glue to asynchronously tie the log receiver (Syslog-NG) together with storage (MySQL) and indexing (Sphinx Search) and serves this over a web interface provided either by Apache or any other web server, including a standalone pure-Perl server for a lighter footprint.

Features offered by ELSA:

• High-volume receiving/indexing (a single node can receive > 30k logs/sec, sustained)
  
• Full Active Directory/LDAP integration for authentication, authorization, email settings
  
• Instant ad-hoc reports/graphs on arbitrary queries even on enormous data sets
  
• Email alerting, scheduled reports
  
• Plugin architecture for web interface
  
• Distributed architecture for clusters
  
• Ships with normalization for some Cisco logs, Snort/Suricata, Bro, and Windows via Eventlog-to-Syslog or Snare
  

ELSA ships with several plugins such as Windows logs from Eventlog-to-Syslog, Snort/Suricata logs, Bro logs, Url logs from httpry_logger. These plugins tell the web server what to do when a user clicks the “Info” link next to each log. It can do anything, but it is designed for returning useful information in a dialog panel in ELSA with an actions menu. New plugins can be added easily by subclassing the “Info” Perl class and editing the elsa_web.conf file to include them. Contributions are welcomed by the author!

ELSA has been found working with Ubuntu, openSUSE, CentOS, and FreeBSD operating systems, untested on *BSD, Syslog-NG 3.1, MySQL 5.1, Sphinx search, Apache, and Perl. It is a complex system and will require a fair amount of initial configuration, but once it is up and running, it will not need much maintenance or tuning. If you run into issues, let the author know and he will try to help you get up and running. ELSA is available under GPLv2 licensing.

Download ELSA: elsa.tar.gz

Sursa: PenTestIT — Your source for Information Security Related information!