ELSA(全稱:Enterprise Log Search and Archive)是一款基於syslog-ng(新一代日誌收集器,但目前多數Linux發現版都不帶此工具)、MySQL的開源級企業日誌歸檔查詢工具,因爲它和Sphinx的完美搭配,支持全文索引能夠像搜索Web同樣輕鬆地搜索上億個日誌中的任意字符串(前提是你的服務器配置足夠高)。單節點ELSA日誌採集系統的工做原理圖以下所示:前端
上面這張架構圖能夠看出ELSA從架構上分爲三層:node
日誌接收器,由syslog-ng完成負責接收來自本地、網絡以及導入的日誌文件
日誌存儲索引,存儲由MySQL數據庫完成,索引由sphinx完成。
Web前端 。
ELSA利用syslog-ng的pattern-db解析器進行有效的日誌規範化,並利用Sphinx全文索引進行日誌搜索。系統內部API將查詢結果彙總後,發送給客戶端,整個系統是異步執行,能夠跑多個查詢。接收器syslog-ng在接收日誌時並無進行歸一化處理(類比OSSIM-Agent插件),因此對日誌的正則表達式計算量不大,能夠在syslog-ng中保持高效的日誌接收率,系統大部分有Perl腳本組成,MySQL每秒可插入100K行數據。Sphinx在索引中爲新插入的行創建索引,每一個2小時會從新創建一次永久索引。整個系統最大效率發揮時每秒鐘能夠處理100K條日誌。mysql
若是你具有ELK實戰經驗的話,能夠把ELSA理解爲簡版的ELK系統,結構簡單,速度快。安裝(感興趣的朋友能夠在基於Debian(包括Ubuntu)的OS上測試,在ELSA Google Code主頁上獲取安裝tar包)比較簡單就不介紹了,下面直接切入正題。web
咱們能夠採用Eventlog-to-Syslog工具將Windows平臺的日誌發送到ELSA服務器
方法:
將evtsys.exe和evtsys.dll複製到系統目錄下輸入下面命令
evtsys.exe -i -h ELSA服務器的IP
志將使用syslog協議發送到您的ELSA服務器,在該服務器中,日誌將被解析爲「 WINDOWS」類正則表達式
Linux/Unix系統都有rsyslog 或 Syslogd進程,在其配置文件中加入下面的配置便可sql
. @ELSA服務器IP數據庫
ELSA的主要配置文件是/etc/elsa_node.confwindows
{api
"database" : { "db": "syslog", "data_db": "syslog_data", "dsn" : "dbi:mysql:database=syslog", "username" : "elsa", "password" : "biglog" },
// 系統協調鎖的目錄
"lockfile_dir": "/opt/elsa/node/tmp/locks",服務器
"num_indexes": 200,
//若是要歸檔日誌,請保留此項
"archive": {
#"days": 90, "percentage": 33, "table_size": 10000000 }, //日誌大小限制+索引大小。設置爲磁盤總空間的95-90%。 "log_size_limit" : 8000000000, "sphinx" : { "indexer": "/usr/bin/indexer", "allowed_temp_percent" : 40, "allowed_mem_percent": 25 "host" : "127.0.0.1", "port" : 9312, "mysql_port" : 9306, "config_file" : "/etc/sphinxsearch/sphinx.conf", "index_path" : "/nsm/elsa/data/sphinx", "index_interval" : 60, "perm_index_size" : 10000000, # Where the optional stopwords file is "stopwords": { "file": "/etc/sphinxsearch/sphinx_stopwords.txt", "top_n": 0, "interval": 0, "whitelist": [] }, "pid_file": "/var/run/sphinxsearch/searchd.pid" }, "logdir" : "/nsm/elsa/data/elsa/log", "mysql_dir": "/nsm/elsa/data/elsa/mysql", "num_log_readers" : 1, #調試跟蹤級別 "debug_level" : "TRACE", "buffer_dir" : "/nsm/elsa/data/elsa/tmp/buffers/", "log_parse_errors": 1, "stats" : { "retention_days": 365 }, "min_expected_hosts": 2
}
ELSA的Web配置文件 /etc/elsa_web.conf
{
#定義API密鑰
"apikeys": {
"elsa": "b7292980d34c99e2581d36681831667b"
},
"version": {
"Author": "mcholste",
"Date": "2014-07-17 15:12:58 -0700 (Thu, 17 Jul 2014)",
"Rev": "1205",
"Sphinx": "Sphinx 2.1.9"
},
"peers": {
"127.0.0.1": {
"url": "http://127.0.0.1:3154/",
"username": "elsa",
"apikey": "b7292980d34c99e2581d36681831667b"
}
},
"admin_email_address": "root@localhost",
"connectors": {
},
"dashboards": {
},
"datasources": {
},
"transforms": {
"whois": {
"known_subnets": {
"10.0.0.0": {
"end": "10.255.255.255",
"org": "MyOrg"
},
"192.168.0.0": {
"end": "192.168.255.255",
"org": "MyOrg"
},
"172.16.0.0": {
"end": "172.31.255.255",
"org": "MyOrg"
}
},
"known_orgs": {
"MyOrg": {
"name": "MyOrg",
"org": "MyOrg",
"descr": "MyOrg",
"cc": "US",
"country": "United States",
"city": "Anytown",
"state": "Somestate"
}
}
},
"parse": {
"tld": [
{
"field": "domain",
"pattern": "\.([a-zA-Z]+)$",
"extractions": [
"tld"
]
},
{
"field": "site",
"pattern": "\.([a-zA-Z]+)$",
"extractions": [
"tld"
]
},
{
"field": "uri",
"pattern": "\.([a-zA-Z]+)(:|/|$)",
"extractions": [
"tld"
]
}
],
"url": [
{
"field": "uri",
"pattern": "(?:(?<proto>[a-zA-Z]+)://)?(?:(?<username>[^/]+):(?<password>[^/]+)@)?(?<domain>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|[^/]+\.(?<tld>[a-zA-Z]+))(?::(?<port>\d+))?(?<resource>/[^?])?(?:\?(?<query_string>.))?$",
"extractions": [
"proto",
"username",
"password",
"domain",
"tld",
"port",
"resource",
"querystring"
]
}
],
"mimetype": [
{
"field": "msg",
"pattern": "[\"'\(\[\s\|;:](?<mime>(?<type>application|audio|chemical|image|message|model|multipart|text|video)/(?<subtype>[\w-]+))[\"'\)\]\s\|;:]",
"extractions": [
"mime",
"type",
"subtype"
]
}
]
}
},
"plugins": {
"SNORT": "Info::Snort",
"WINDOWS": "Info::Windows",
"URL": "Info::Url",
"BRO_NOTICE": "Info::Bro"
},
"info": {
"snort": {
"url_templates": [
"http://doc.emergingthreats.net/bin/view/Main/%d"
]
},
"url": {
"url_templates": [
"http://whois.domaintools.com/%s"
]
},
"windows": {
"url_templates": [
"http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=%d"
]
}
},
"max_concurrent_archive_queries": 4,
"schedule_interval": 60,
"node_info_cache_timeout": 60,
"email": {
"display_address": "noreply-elsa@example.com",
"base_url": "http://elsa/",
"subject": "ELSA Alert"
},
"link_key": "secret",
"yui": {
"local": "inc"
},
"data_db": {
"db": "syslog",
"username": "elsa",
"password": "biglog"
},
"meta_db": {
"dsn": "dbi:mysql:database=elsa_web",
"username": "elsa",
"password": "biglog"
},
"auth": {
"method": "security_onion"
},
"admin_groups": [
"system",
"admin"
],
"auth_db": {
"dsn": "dbi:mysql:database=securityonion_db",
"username": "root",
"password": "",
"auth_statement": "SELECT PASSWORD(password) FROM user_info WHERE username=?",
"email_statement": "SELECT email FROM user_info WHERE username=?"
},
"peer_id_multiplier": 1000000000000,
"query_timeout": 55,
"pcap_url": "/capme",
"logdir": "/nsm/elsa/data/elsa/log",
"buffer_dir": "/nsm/elsa/data/elsa/tmp/buffers",
"debug_level": "TRACE",
"default_start_time_offset": 2,
"livetail": {
"poll_interval": 5,
"time_limit": 3600
}
}
着重對ELSA軟件的幾個重點功能進行展現。
1.鏈接數 Top N
2.動態儀表盤展現
動態展現單位時間內處理日誌的數量、查詢量、採集主機的地址以及日誌類型等參數。
3.查詢日誌詳細信息
咱們在Field Summary(字段摘要)中發現這些日誌有15個字段(主機IP、進程名稱、源地址、源端口、目的地址、目的端口、協議類型、輸入字節數量、服務類型、持續時間、輸出字節、輸入數據包數量、輸出數據包數量、國家代碼等),每一個字段後面是出現的次數,各個字段之間經過「|」符號分割。
4.查詢ossec日誌信息
5.偵測到針對MySQL 3306端口掃描報警日誌信息
6.端口掃描報警日誌信息
7.Ping報警日誌信息
有關日誌分析的相關話題你們能夠閱讀暢銷書《Unix/Linux網絡日誌分析與流量監控》。