ELSA: Web interface for syslog-ng and patterndb
Enterprise log search and archive (ELSA) is a brand new centralized syslog framework with syslog-ng 3.1+ and patterndb at its heart. It is the first larger project outside of BalaBit utilizing the power of patterndb. Data storage and searching is based on mysql and sphinx, and there is a simple but powerful web interface, which gives quick access even to many millions of log messages.
As ELSA is a new project, it has some rough edges. Still, it’s something I can recommend to try for anybody who needs central logging, a web GUI and the power of patterndb. ELSA is not yet documented, but it’s configuration file has many useful comments and the user interface is mostly self-explanatory. In the past few weeks, while I was testing ELSA, any problems I reported were quickly fixed and questions answered.
There are a couple of ways to get started:
- The easy way is to download the vmware image, as one only needs to send the logs to the appliance and to point a browser to its web server. This is enough for evaluation, but has a huge performance penalty. It is available at: http://spike2.fa.gau.hu/~mcholste/elsa_vm.tar.gz
- A slightly more difficult path is to install ELSA by hand. There is a self documenting installation script, but I’d rather recommend to run the commands by hand, so you can check the output of each command and modify to your liking. Sources are available at http://code.google.com/p/enterprise-log-search-and-archive/.
- The adventurous can also install from SVN. Access instructions are available from the previous URL.
Currently the only tested target operating system is Ubuntu Lucid (10.04 LTS). If you need another one, you are on your own. Once I have more time, I plan to contribute instructions for installation on openSUSE / SLES, my favorite distribution, but I don’t have yet a time frame.
ELSA would be quite useful already without patterndb. It has an easy to use interface, a bit similar to Google’s “advanced search”. It could insert many messages into the database even under vmware and it did very quick searches in the data.
Patterndb gives ELSA some extra advantages over any other syslog GUI solutions I tested recently. Information parsed from messages is easy to search, for example one can collect in an instant when a given user logged in in a given time time period. Or see from HTTP logs, which pages a given user or IP address visited. Here is a sample screen shot about SSH logins:
ELSA comes with a rich set of firewall and httpry related patterns. Right now it takes some time to adopt patterns to ELSA, but it’s nothing impossible and the developer is ready to help. The sshd pattern used above was not originally part of ELSA but came from our patterndb git ( http://git.balabit.hu/?p=bazsi/syslog-ng-patterndb.git;a=summary ).
And we are now back to patterns. Last autumn we asked the syslog-ng community to help us to create patterns and/or to provide log samples, which could be used to create patterns. We would like to kindly remind you about these initiations. URLs are available at the bottom of our patterndb page: http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/features/pattern_db
For more ELSA related information you should check the authors blog at http://ossectools.blogspot.com/ where he explains basics and also some interesting use cases.