Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Clone this wiki locally
Enterprise Log Search and Archive (ELSA) is a three-tier log receiver, archiver, indexer, and web frontend for incoming syslog. It leverages syslog-ng's pattern-db parser for efficient log normalization and Sphinx full-text indexing for log searching.
Developed by Martin Holste:
Works best with Chromium/Chrome browser
More data types than all other interfaces
In Security Onion 14.04, ELSA has dynamic bar charts and dashboards.
The ELSA web interface authenticates against the Sguil user database, so you should be able to login to ELSA using the same username/password you use to login to Sguil/Squert
By default, ELSA searches the last 2 days worth of logs. You can control this using the From and To fields.
Very fast, very scalable (each sensor has its own mysql database and sphinx index)
When you query the ELSA web interface, it queries all ELSA databases in parallel and then gives you the aggregate results
ELSA will reach End Of Life on October 9, 2018. After that date, we will not provide any updates or any support for ELSA. Please plan to migrate from ELSA to Elastic at your earliest convenience.
ELSA can pivot to CapME to access full packet capture. For any log relating to TCP traffic that has timestamp; src ip; source port; destination ip; and destination port, you can click Info, Plugin, getPcap to pivot to CapMe. Enter your username and password and CapMe will retrieve the pcap and render it as an ASCII transcript. If ELSA doesn't show the getPcap plugin, then the log you were trying to pivot from didn't contain all of the fields listed above that are necessary to active the getPcap plugin.
You can query ELSA from the command line by querying the ELSA API. One option would be to pass your query to our cli.sh script (replacing example.com with your desired search criteria):
sh /opt/elsa/contrib/securityonion/contrib/cli.sh "example.com"
The output is in JSON, so you might want to pipe the results into
sh /opt/elsa/contrib/securityonion/contrib/cli.sh "example.com" | jq '.'
Another option would be Mike McDargh's Powershell script:
Large number of Perl processes
Why does ELSA periodically show "undefined" instead of the number of logs in the upper right?
This can happen with the default Apache MaxConnectionsPerChild setting of 0. Our Setup script should automatically set this to 2, but if you upgraded from an older version you may be missing this setting. Try setting the following in /etc/apache2/mods-available/mpm_prefork.conf:
Then restart Apache:
sudo service apache2 restart