[syslog-ng] Blog post on ELSA
Martin Holste
mcholste at gmail.com
Mon Mar 28 22:26:30 CEST 2011
I just put up an entry on my blog (http://ossectools.blogspot.com)
describing the Enterprise Log Search and Archive Project
(http://code.google.com/p/enterprise-log-search-and-archive) I've been
working on which uses Syslog-NG >= 3.1 and pattern-db at its core.
There are a lot of other open-source log collection frameworks out
there that are easier to install, such as Logzilla (php-syslog-ng),
but if you're trying to log > 1k messages/sec (common in large orgs)
and need something GPL licensed, installing ELSA will probably be
worth your while. We're using it to index 15k messages/sec with basic
hardware. It's currently storing tens of billions logs, and
full-text, ad-hoc queries complete in about 1/2 to 2 seconds,
including group-by queries on arbitrary fields for reporting. I put a
few screenshots and a feature list in the post.
The documentation is pretty basic right now, but I'm happy to assist
if you run into issues.
ELSA is also open to plugin creation, so if you find ELSA useful and
create plugins, please let me know and I can add them to the project.
Also, patterns for the pattern-db are more than welcome! I've
included patterns for Cisco FWSM connections and denies, Snort logs,
Windows logs from Eventlog-to-Syslog as well as Snare, and URL's from
my httpry wrapper, which is available on the project site as well as
in the tarball/source code.
Comments and feedback are welcome!
Thanks,
Martin
More information about the syslog-ng
mailing list