Friday, August 17, 2012

ELSA Gets Dashboards

Tactical searching, reporting, and alerting is the most important part of security monitoring, but sometimes a big picture look at what's going on is necessary (especially for management).  In keeping with most security tools out there, ELSA now has easy-to-use dashboards which will display live data from any ELSA query in a format that's easy to view securely as well as easy to edit.  Here's a Snort dashboard that ships with ELSA in the contrib/dashboards folder:


Creating dashboards is as easy as clicking on the "Results..." button after running a query and choosing "Add to dashboard" (assuming you've created one already).

Any query can be added, and by default the charted value will be that query over time.  Once you've added queries, you can edit the charts on the dashboard as much as needed using the built-in Google Visualizations editor:
You can also add and remove queries that are used as the basis for the axis data:
Here's the completed Bro IDS dashboard:
Dashboards are easy to manage, too.  They can be assigned different levels of authorization for viewing, from none ("Public"), to authenticated users, to specific groups which match the rest of the ELSA authorization system.
The dashboard layout itself can be easily edited and changes appear live as you work, so it's easy to throw together any dashboard in less than a minute.

Sharing Dashboards

Best of all, dashboards are a breeze to export and import.  Exported dashboards are just JSON text, and importing is a simple matter of pasting in the JSON text into the "Create" import form field.  This means that it's easy for members of the security community to contribute back metrics that they find helpful.  If you've got a dashboard that's working for you, post it to the ELSA mailing list!  I'll include them in the contrib/dashboards folder for others to use.