First Impressions with ELSA: Bye-bye Grep

When I first read about ELSA, I knew it was going to be a game changer. From the very beginning, this log collection and analysis application had addressed many of the problemsĀ plaguing adoption of open source log front-ends in the enterprise. It had scalability (as in pretty much unlimited scalability), it integrated with Active Directory, it had reporting and it was designed to handle thousands of logs per second without breaking a sweat. In other words, it was what many expensive SIEMs promised to be but failed to be in execution.

With an upcoming log infrastructure expansion project, I decided to give it a trial run on an old laptop. If things went well there, I could consider piloting the application for production usage. So with a fair bit of trepidation, I followed the instructions in the README and with two simple commands later it was furiously downloading and installing all sorts of stuff. The installation took over an hour on this poor little laptop, since many elements of ELSA were being compiled. Honestly, I didn’t expect things to go well. With all of these Perl modules and Ubuntu packages being installed, something had to fail and stop the entire chain of events. I was a bit surprised to see that it all just worked. At the end of the installation I opened a browser and was greeted with this nice and clean screen.

Since I already had the firewall logging to this box, it was simply a matter of disabling that application so ELSA could grab the port and start receiving syslogs. A few minutes later, I was able to run a basic query by simply putting in the IP of the firewall.

I expected some sort of hourglass. After all, this was a five year old laptop, not a server. But the query results came back pretty much immediately (199 milliseconds to be exact).

Performing additional queries proved to be somewhat more difficult, simply because I had not yet wrapped my mind around the search syntax. I tried 192.168 thinking I would see everything on that segment, since the doc mentioned that wildcards were not an option, but I got no results. After a bit more reading and experimenting , I got the hang of it. Still, it has taken me out of my comfort zone of grep-style regular expression searching and that will take some getting used to.

By clicking on the ‘Report On’ button and then selecting ‘Hour’ I had an instant visual of the level of log activity from this one host. From there I could save or export the results in PDF, Excel, CSV or HTML. Doing a line count in a days worth of logs for one IP using grep would have taken several minutes at least, never mind plotting it. The chart is somewhat Splunk-like, but without five thousand dollars to get started and the threat of locking you out of your log history should you go over your limit.

Poking around a bit more, I begin to see where ELSA really shines. The use of plugins allows you to leverage community intelligence and to do things like see of the IP in the logs is known to be malicious. Can I get an AMEN!!!??

So, what would I change? I am starting to get some ideas, but really, they are just cosmetic things that really don’t seem all that important right now. One thing is clear: ELSA was designed by someone who understands the needs of log analysts. We need a no-nonsense, clean and stable interface, fast results and enough enterprise-level features to be able to justify it in the work place and ELSA fits the bill perfectly. Listen up log pros, this is the one to watch.

5 comments on “First Impressions with ELSA: Bye-bye Grep
  1. josh says:

    hi michael,
    i am a huge fan of ossec, been using it for a couple of years. it would be interesting to mesh the beautiful interface of graylog2 with something like this. what are your thoughts on graylog2? Their website is:

    I have been looking for something that can keep up with all the logs as well and still provide meaningful information.

    As a side-note, I have been following your blog for quite some time and your info on ossec is really what pushed me forward to using it full-time.

  2. Hello Josh,

    Thanks for stopping by and for the kind words. I have seen Graylog2 and it does look nice. I guess it depends on what your needs are. Most of the log stuff I do is for an enterprise setting, so I have needs that others might not. I say “use whatever works!”

    Now that I know there are people out there who like my posts, I suppose I should keep the blog a bit more up-to-date. :)


  3. Walker Rowe says:

    But does ELSA Sphinx search have the same ability to string together commands with the | and then run stats on the search results, like count, max, stdev, … In other words can it do the transform operations? (I don’t want to call that analytics as that term means graph processing, etc., and not simple stats.)

    Also isn’t ELSA limited to syslog-ng input?

  4. Yes, ELSA has powerful transforms capabilities. And no, it is not limited to just syslog-ng. You can query a database, for example, and index and archive the output of that query.

    Check out some of Martin’s older blog posts. They go into these in detail:

  5. Rob Burton says:

    Since Graylog2 was mentioned I thought I’d add a note on another centralized log management system too, which is NXLog – it’s highly scalable and provides high performance even when running on thousands of servers. If anyone’s interested it’s free and open source, check it out here:

Leave a Reply

Your email address will not be published. Required fields are marked *