The new auto-installer script is working well enough that I think most
people should be able to get the beta of ELSA installed now. I put up
a short post with the details and screenshots on my blog here:
http://ossectools.blogspot.com/2011/11/elsa-beta-available.html . From
the project page
(http://code.google.com/p/enterprise-log-search-and-archive/):
Features:
* High-volume receiving/indexing (a single node can receive > 30k
logs/sec, sustained)
* Full Active Directory/LDAP integration for authentication,
authorization, email settings
* Instant ad-hoc reports/graphs on arbitrary queries even on enormous data sets
* Email alerting, scheduled reports
* Plugin architecture for web interface
* Distributed architecture for clusters
* Ships with normalization for some Cisco logs, Snort/Suricata, Bro,
and Windows via Eventlog-to-Syslog or Snare
As shown at the workshop, if you install StreamDB
(streamdb.googlecode.com) and note its URL in the web config, you can
get instant access to any traffic referred to in a Bro log in two
clicks via the "Info" link next to each log entry displayed in a
search.
There is also a command-line version which outputs tab-delimited lines
that you can pipe to other programs, similar to bro-cut.
Please let me know if you run into issues installing. Ubuntu,
openSUSE, and CentOS have been tested, but variations of those distros
should work fine. *BSD is also theoretically possible as all of the
underlying components can be compiled on *BSD, but it has not been
tested. If you try, let me know how it goes!