Saturday, February 25, 2012

New ELSA Log Parsers

ELSA is growing!

By popular demand, I've added a number of new parsers to the ELSA repertoire to support parsing fields from the following devices:
 - Fortinet (URL, traffic)
 - Checkpoint
 - Palo Alto (URL, traffic)
 - Barracuda (scan, receive, send)
 - OSSEC Windows logs (automatically appears as class Windows)

Parsed logs will have fields available for ad-hoc reporting and transforms.  For instance, now that srcip and dstip are available, the whois or cif transform can be used with these logs.

In order to use these classes, you will need to uncomment the class definitions in the node/conf/schema.sql file and manually do an INSERT of those classes.  This is to prevent those of us who do not have these devices from having a cluttered menu.  In the future, I'm hoping to have a much nicer way of administrating which classes are visible.

I've also added an updated syslog-ng.conf file which should handle Cisco device logs much better with the varied types of timestamps they send.

Lastly, I've updated the ELSA online documentation to show how to create your own parsers.

As always, if you have any questions or problems with ELSA, please let us know on the ELSA mailing list.