Hey all!
So...I'm looking for SOMETHING that will allow me to parse and aggregate bro, snort, and firewall logs. I've looked at logstash, but the latest version seems poorly documented...everything that I wanted to try took ages to figure out. Anyone have anything that will accomplish something like this? Thanks all.
James
Hi James,
Have you considered ELSA?
https://code.google.com/p/enterprise-log-search-and-archive/wiki/Documentation
Also see:
https://www.youtube.com/watch?v=33HZyIxbg6c&list=PLMN5wm-C5YjyieO63g8LbaiWTSJRj0DBe
splunk -)
And Security onion uses Elsa to do the same thing. Elsa is just a
moving target (changes a lot) but Martin is doing an awesome job
fixing things, adding features and helping people out.
Elsa has the benefit of being free with no limits, vs splunk 500mb/day
Thanks for the ELSA recommendations all...giving it a look now.
James
Splunk on the commercial side, ELSA on the free side would be my suggestions without hearing more details about your environment or needs
On the free side you’re going to spend time setting them up and getting stuff configured… That’s the price of the open source log aggregation stuff out there…
Thanks Eric...something that lifts my spirits:
Plugins
ELSA ships with several plugins:
Windows logs from Eventlog-to-Syslog
Snort/Suricata logs
Bro logs
Url logs from httpry_logger
So THAT helps...I won't have to reinvent anything. Documentation looks pretty tasty as well, so let's hope it's not too much of a hassle. I'll report my success/failures here.
James
I think there are parsers for a couple of firewall vendors too. I would be open to helping ya get a parser written if there isn’t one for whatever firewall solution you’re using. ELSA’s a really neat project, so it’d be cool to help it out
Yup looks like plugins for a few different vendors have been written:
" By popular demand, I’ve added a number of new parsers to the ELSA repertoire to support parsing fields from the following devices:
(from http://ossectools.blogspot.com/2012/02/new-elsa-log-parsers.html)