Tuesday, November 22, 2011

ELSA Beta Available


After two months of solid coding, I'm proud to announce that Enterprise Log Search and Archive (ELSA) is available in beta quality and ships with an auto-installer for many Linux systems. The backend and query code has been rewritten from the ground up with many enhancements. Most importantly, query speed is an order of magnitude faster in many cases, and you can now report on string fields like any other field.  The query interface has been streamlined, along with other interface changes.


The rewrite focused on making the platform more robust by removing many moving parts and streamlining a lot of background processes. The result is agentless, fully independent log nodes which do not need to communicate with any other nodes. This allows for easy distribution of nodes in customer sites. In fact, the nodes can be accessed from as many different web frontends as you like, as they are nothing more than a MySQL query interface to external clients, so customers can have their own interface if they prefer. The web server now handles asynchronously parallelizing queries and aggregating the results, which has improved performance and reliability.

I've also added parsers and classes for the major Bro IDS logs, so ELSA is now a viable frontend for Bro. Below is a screenshot of a source IP address with a report by DNS hostname lookup. This search covered several billion logs and returned in less than a second.

There are many more features, and I will refer interested readers to the new documentation available. I'm very interested in any issues encountered during install and operation, so please let me know if you run into any issues. You may also file a bug report on the project page if you run into any problems.