Hey all!

So...I'm looking for SOMETHING that will allow me to parse and aggregate bro, snort, and firewall logs. I've looked at logstash, but the latest version seems poorly documented...everything that I wanted to try took ages to figure out. Anyone have anything that will accomplish something like this? Thanks all.


Hi James,

Have you considered ELSA?

Also see:

splunk -)

And Security onion uses Elsa to do the same thing. Elsa is just a
moving target (changes a lot) but Martin is doing an awesome job
fixing things, adding features and helping people out.

Elsa has the benefit of being free with no limits, vs splunk 500mb/day

Thanks for the ELSA recommendations it a look now.


Splunk on the commercial side, ELSA on the free side would be my suggestions without hearing more details about your environment or needs

On the free side you’re going to spend time setting them up and getting stuff configured… That’s the price of the open source log aggregation stuff out there…

Thanks Eric...something that lifts my spirits:


ELSA ships with several plugins:

     Windows logs from Eventlog-to-Syslog
     Snort/Suricata logs
     Bro logs
     Url logs from httpry_logger

So THAT helps...I won't have to reinvent anything. Documentation looks pretty tasty as well, so let's hope it's not too much of a hassle. I'll report my success/failures here.


I think there are parsers for a couple of firewall vendors too. I would be open to helping ya get a parser written if there isn’t one for whatever firewall solution you’re using. ELSA’s a really neat project, so it’d be cool to help it out

Yup looks like plugins for a few different vendors have been written:
" By popular demand, I’ve added a number of new parsers to the ELSA repertoire to support parsing fields from the following devices:

  • Fortinet (URL, traffic)
  • Checkpoint
  • Palo Alto (URL, traffic)
  • Barracuda (scan, receive, send)
  • OSSEC Windows logs (automatically appears as class Windows)"