Home Internet Security: Let’s Meet ELSA

Today we are continuing this Home Internet Security series by examining one tool built into the SecurityOnion product: ELSA (Enterprise Log Search and Archive).

What is ELSA?

The ELSA web site has a good description of what this tool is/does:

ELSA is a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web. It also includes tools for assigning permissions for viewing the logs as well as email based alerts, scheduled queries, and graphing.

I urge you to check out the site to learn all the cool features of it. Essentially, it is a log collector. You have various computers/systems on your network send ELSA their event logs, system logs, IDS logs, whatever. ELSA then normalizes the various log inputs and allows the user an easy, web-based method of viewing the data.

This post is in no way going to show you all the neat features of ELSA but instead, will give you a taste of some of it. Hopefully, it’ll help you understand some of its capabilities.

So, why do I need ELSA?

Two questions come to mind:

  1. Why would I want to do this at home?
  2. What information can I send to ELSA?
The answer to #1 is easy…because you can! I’ve said this before, I’m a geek. At home I have over 10 computers (linux and Windows; laptops and desktops). I’ve also got mobile devices and phones and streaming TV thingies. Wouldn’t it be cool if I could go to one place and see all the errors that these devices might be throwing? What if you could look at the ELSA logs to see what kinds of things happened on the systems in your network? That’d be REALLY helpful when troubleshooting or investigating intrusions.
As for the second question, that answer is even easier. Just visit the ELSA documentation wiki at https://code.google.com/p/enterprise-log-search-and-archive/wiki/Documentation and see the wealth of information. In less than 3 minutes (while writing this blog post actually), I downloaded a Windows Event Log -> Syslog tool called “eventlog-to-syslog” and installed it on my Windows computer. Now my Windows computer’s event logs are being sent to ELSA for analysis. I’ve also sent other devices like my Network Attached Storage (NAS – home server), my Untangle box, and others. The power of a syslog collector is in its ability to normalize data coming from multiple sources. ELSA does this with ease.
I also should mention that ELSA reads BRO alerts as well as OSSEC alerts coming from the SecurityOnion system. Let’s take a look at some of the data from my home network.

Hey ELSA, can I see BRO?

ELSA can be installed along with the other programs when you perform your SecurityOnion install. Then you access it from the main HTTPS page of your SecurityOnion system. The URL is https://[ipaddress]/elsa/. 
Below is a screenshot of ELSA in action. Along the left side of the web page are quick queries that you can run. They will search the ELSA database for certain information and then display the results. For instance, in the pic below, I’ve asked to see the list of URLs visited along with the count of the number of times that URL shows up in the BRO IDS alerts found in the ELSA database. This query is pulling from the BRO Network Security Monitor alerts that the BRO instance on the SecurityOnion system are generating.

BRO Alerts in ELSA
Let’s say that you want to “drill down” further into that http://www.pandora.com site activity. Just click the hyperlink and it’ll take you to a page similar to the one below. We can see that the query is now more specific showing BRO HTTP alerts and with a site=”www.pandora.com”. 
Detailed http://www.pandora.com BRO Alert Data in ELSA
At this level we see detailed info about this traffic including user-agent strings, URL resources requested and other information that was sent to the Pandora server. Easy.

Syslog and ELSA

Now let’s see some of the syslog data that my systems send to ELSA. Using the canned link on the left frame of the page, we can see that now we are performing a search of the database entries not in the OSSEC archive (see the minus sign or “-” in front of the parameters. That means ignore the term following it). This query groups the output by program and these queries and dashboards are customizable (but that is beyond the scope of this blog post). There are drop down menu items next to and below the query field which contain modifiers of the query. The ELSA site has docs about how to get all you can out of the queries.
Syslog Data in ELSA
Let’s go ahead and dig deeper into one of these programs. The “qlogd” entry is from my NAS. Clicking the hyperlink shows the info below. We have data on what systems people accessed the server share from, who accessed it and at what date and time they did so. There is also data about processes the NAS runs such as the Antivirus. Your devices may send more or less information depending upon their configurations.
NAS Syslog Data in ELSA

Setting Up the Hosts to Send to ELSA

I don’t have enough time or space to describe how to send each of your system’s logs to ELSA. The ELSA wiki has that info. Below are a couple of systems just to illustrate where you might be able to look to configure this on your systems.
Let’s look at my NAS device and my Untangle server. The screenshots below are pretty self-explanatory. In your system, look for a place in the configuration area where it says “syslog server” and enter the IP address of the SecurityOnion server. That is it.
Configuring NAS Device’s Syslog Server

Configuring  the Untangle Server’s Syslog Server
I mentioned above that I quickly configured a Windows computer to send its event logs to ELSA. I downloaded a Windows Event Log -> Syslog tool called “eventlog-to-syslog”, unzipped it and installed it on my Windows computer from an administrative command prompt. In the pic below, I typed “evtsys.exe /?” to show the switches and flags. Then I typed “evtsys.exe -i -h [ipaddress]” to (i)nstall the service and send the data to the (h)ost IP address specified. 
Installing the Windows Event Log to Syslog Service on a Windows Computer
I could go on showing you the queries and drilling down more but this is a good stopping place. When I installed SecurityOnion at home, I was only looking to use the Intrusion Detection System. Finding and leveraging ELSA has been very helpful and a wonderful discovery. 

Comments are closed.

Up ↑

%d bloggers like this: