Doug Burks edited this page Apr 9, 2018 · 41 revisions
Clone this wiki locally


From https://github.com/mcholste/elsa:

Enterprise Log Search and Archive (ELSA) is a three-tier log receiver, archiver, indexer, and web frontend for incoming syslog. It leverages syslog-ng's pattern-db parser for efficient log normalization and Sphinx full-text indexing for log searching.

  • Developed by Martin Holste:

  • Web interface for hunting through logs (Bro, NIDS alerts, OSSEC, syslog)

  • Works best with Chromium/Chrome browser

  • More data types than all other interfaces

  • In Security Onion 14.04, ELSA has dynamic bar charts and dashboards.

  • The ELSA web interface authenticates against the Sguil user database, so you should be able to login to ELSA using the same username/password you use to login to Sguil/Squert

  • By default, ELSA searches the last 2 days worth of logs. You can control this using the From and To fields.

  • Very fast, very scalable (each sensor has its own mysql database and sphinx index)

  • When you query the ELSA web interface, it queries all ELSA databases in parallel and then gives you the aggregate results


ELSA will reach End Of Life on October 9, 2018. After that date, we will not provide any updates or any support for ELSA. Please plan to migrate from ELSA to Elastic at your earliest convenience.


ELSA can pivot to CapME to access full packet capture. For any log relating to TCP traffic that has timestamp; src ip; source port; destination ip; and destination port, you can click Info, Plugin, getPcap to pivot to CapMe. Enter your username and password and CapMe will retrieve the pcap and render it as an ASCII transcript. If ELSA doesn't show the getPcap plugin, then the log you were trying to pivot from didn't contain all of the fields listed above that are necessary to active the getPcap plugin.


You can query ELSA from the command line by querying the ELSA API. One option would be to pass your query to our cli.sh script (replacing example.com with your desired search criteria):

sh /opt/elsa/contrib/securityonion/contrib/cli.sh "example.com" 

The output is in JSON, so you might want to pipe the results into jq:

sh /opt/elsa/contrib/securityonion/contrib/cli.sh "example.com" | jq '.'

Another option would be Mike McDargh's Powershell script:

Large number of Perl processes

See: Why does sostat show high load/CPU usage and large number of Perl processes?


See: Why does sostat show a high number of ELSA buffers in queue?


ELSA Query Tips


Custom ELSA Parsers






Why does ELSA periodically show "undefined" instead of the number of logs in the upper right?

This can happen with the default Apache MaxConnectionsPerChild setting of 0. Our Setup script should automatically set this to 2, but if you upgraded from an older version you may be missing this setting. Try setting the following in /etc/apache2/mods-available/mpm_prefork.conf:

MaxConnectionsPerChild 2

Then restart Apache:

sudo service apache2 restart