brianhaddock / enterprise-log-search-and-archive Goto Github PK
View Code? Open in Web Editor NEWAutomatically exported from code.google.com/p/enterprise-log-search-and-archive
Automatically exported from code.google.com/p/enterprise-log-search-and-archive
I believe this:
INSERT INTO classes (class_id, class) VALUES (10000, "NEWCLASS");
Should be this:
INSERT INTO classes (id, class) VALUES (10000, "NEWCLASS");
Original issue reported on code.google.com by [email protected]
on 6 Jun 2012 at 1:32
*What steps will reproduce the problem?*
1. Install ELSA
2. Set local YUI :
"yui" : {
"local" : "inc/combo.js",
"version" : "2.8.1",
"modifier" : ""
},
*What is the expected output? What do you see instead?*
Working web interface.
404 error with theses files :
http://host/inc/combo.jsyui-2.8.1.css
http://host/inc/combo.jsyui-2.8.1.js
*What version of the product are you using? On what operating system?*
trunk svn
*Please provide any additional information below.*
Web interface used in isoleted network (no internet access).
Original issue reported on code.google.com by [email protected]
on 25 May 2012 at 5:32
Attachments:
From the Web UI, I can search for "1" and see a specific record, for which the
program field is something like: "%cdp-3-updown".
My problem (maybe I am going about it the wrong way) is that I can search for
the keyword 'up' or 'down' but never 'updown' or 'up +down'. The first two
searches return results however the last two returns nothing.
How can I troubleshoot this problem?
Thanks.
Original issue reported on code.google.com by [email protected]
on 5 Mar 2012 at 11:52
What steps will reproduce the problem?
1. Install Ubuntu 12.04 with default setup + SSHD
2. Install ELSA using install.sh script
3. Error in installation
error:
----QUOTE----
--> Working on Geo::IP
Fetching http://www.cpan.org/authors/id/B/BO/BORISZ/Geo-IP-1.40.tar.gz ... OK
Configuring Geo-IP-1.40 ... N/A
! Configure failed for Geo-IP-1.40. See /home/testuser/.cpanm/build.log for
details.
Retry 3
build_web_perl FAIL
----ENDQUOTE----
in build.log
----QUOTE----
Configuring Geo-IP-1.40
Running Makefile.PL
The GeoIP CAPI is not installed you should do that. Otherwise try
perl Makefile.PL PP=1
to install this module anyway. It uses a slower pure perl version
and you can rebuid it later.
GeoIP must be installed prior to building Geo::IP and I can't find
it in the standard library directories. You can download GeoIP C API from:
http://www.maxmind.com/app/c
If GeoIP is installed, but in a non-standard directory, then use the
following options to Makefile.PL:
perl Makefile.PL LIBS='-L/home/me/lib' INC='-I/home/me/include'
Note that if you build against a shareable library in a non-standard location
you may (on some platforms) also have to set your LD_LIBRARY_PATH environment
variable at run time for perl to find the library.
If you installed the GeoIP C libraries to the /usr/local/lib directory,
then you may need to add /usr/local/lib to /etc/ld.so.conf then run
/sbin/ldconfig /etc/ld.so.conf
----ENDQUOTE----
After installing package "libgeoip-dev", the web module installed correctly.
PATCH:
In install.sh, function ubuntu_get_web_packages, add package to the list.
I guess other Linux distro may have the same issue. Unable to test
Original issue reported on code.google.com by [email protected]
on 31 May 2012 at 12:37
What steps will reproduce the problem?
1. Query "Application Name: - Network Information"
What is the expected output? What do you see instead?
I expect a search containing everything within the quotation marks. However,
the query box loses the '-' and the query returns nothing.
What version of the product are you using? On what operating system?
OS: Red Hat Enterprise 6
Please provide any additional information below.
Replacing the - with a + or other symbols I've tried won't produce this result.
I'm using this query to find entries that contain no Application Name, which
are listed in a general query of eventID 5152 from SNARE data.
Original issue reported on code.google.com by [email protected]
on 16 Jul 2012 at 8:34
This is more of a nice-to-have than anything else. It would be useful to have
an icon or drop-down of some sort next to the "From" and "To" fields in order
to select a date and maybe time.
Original issue reported on code.google.com by [email protected]
on 29 May 2012 at 10:26
What steps will reproduce the problem?
We standardize on OpenSuse - the quick installer script is NOT working in our
environment.
1. I build appliance using http://www.susestudio.com - where selected the base
OS with the following packages ONLY
Patterns: NIL
Packages:
bootsplash, ethtool, glibc-locale, grub, hwinfo, iputils,
kernel-default, netcfg, net-tools, openssh, SuSEfirewall2,
syslog-ng, sysvinit, tcpdump, telnet, vim, yast2-firewall,
yast2-firstboot, yast2-ncurses, zypper
- I am trying to install ALL-In-One (both node and web) in the same machine to
try out. the script errors out during syslog related configuration (or) mysql.
- whereas your script is working properly on Ubuntu w/o error.
can you help -
1. while building appliance what are the packages required for ELSA to work as
NODE / WEB / NODE & WEB.
I am building OpenSuse 12.1 appliance with the above packages alone selected.
Original issue reported on code.google.com by [email protected]
on 9 Jul 2012 at 6:26
What steps will reproduce the problem?
1. Search for class=none
2. Date Range 2 days ago within one hour (ie 2012-04-25 15:50:20 2012-04-25
16:50:20
What is the expected output?
Thousands of Rows
What do you see instead?
0 rows
What version of the product are you using?
SVN checkout of ELSA.
syslog-ng 3.3.5
On what operating system?
Debian Squeeze
Please provide any additional information below.
apache2/error log
Use of uninitialized value in addition (+) at
/srv/syslogdata/elsa/web/lib/API.pm line 2692.
web.log
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/Web.pm (102)
Web::_extract_method 32699 [undef]
uri:
/Query/query?q=%7B%22query_string%22%3A%22%20class%3Dnone%22%2C%22query_meta_par
ams%22%3A%7B%22end%22%3A1335361820.838%2C%22start%22%3A1335358220.837%7D%7D
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/Web/Query.pm (19)
Web::Query::call 32699 [undef]
method: query
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (2198)
API::query 32699 [undef]
Decoded as : $VAR1 = {
'query_meta_params' => {
'start' => '1335358220.837',
'end' => '1335361820.838'
},
'query_string' => ' class=none'
};
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (2266)
API::query 32699 [undef]
Received query with qid 1015 at 1335532165.89763
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (2831)
API::_parse_query_string 32699 [undef]
orig_parsed_query: $VAR1 = {
'' => [
{
'value' => 'none',
'op' => '=',
'field' => 'class'
}
]
};
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (3203)
API::_parse_query_term 32699 [undef]
terms: $VAR1 = {
'' => [
{
'value' => 'none',
'field' => 'class',
'op' => '='
}
]
};
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (3271)
API::_parse_query_term 32699 [undef]
Set operator for given class none
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (2861)
API::_parse_query_string 32699 [undef]
attr before conversion: $VAR1 = {
'or' => {},
'not' => {},
'and' => {}
};
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (2952)
API::_parse_query_string 32699 [undef]
Permissions grant access to any host_id
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (2952)
API::_parse_query_string 32699 [undef]
Permissions grant access to any program_id
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (2952)
API::_parse_query_string 32699 [undef]
Permissions grant access to any node_id
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (3093)
API::_parse_query_string 32699 [undef]
field_terms: $VAR1 = {
'or' => {},
'not' => {},
'and' => {}
};
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (3094)
API::_parse_query_string 32699 [undef]
any_field_terms: $VAR1 = {
'or' => {},
'not' => {},
'and' => {}
};
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (3145)
API::_parse_query_string 32699 [undef]
query_term_count: 1, num_added_terms: 0
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (3158)
API::_parse_query_string 32699 [undef]
META_PARAMS: $VAR1 = {
'start' => '1335358220.837',
'end' => '1335361820.838'
};
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (2486)
API::_sphinx_query 32699 [undef]
sphinx_query: SELECT *, 1 AS positive_qualifier, 0 AS negative_qualifier FROM
perm_120, perm_121 WHERE MATCH('') AND positive_qualifier=1 AND
negative_qualifier=0 AND class_id IN (?) AND timestamp BETWEEN ? AND ? LIMIT
?,? OPTION ranker=none, values: $VAR1 = [
'1',
1335358220,
1335361820
];
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (2495)
API::__ANON__ 32699 [undef]
Sphinx query for node 127.0.0.1 finished in 0.0046238899230957
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (2723)
API::_sphinx_query 32699 [undef]
completed query in 0.00582790374755859 with 0 rows
* INFO [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (2321)
API::query 32699 [undef]
Query 1015 returned 0 rows
Original issue reported on code.google.com by [email protected]
on 27 Apr 2012 at 1:14
Is it possible to present a pie chart a showing percentages when a query is
launched?
Original issue reported on code.google.com by [email protected]
on 14 Jun 2012 at 2:01
Add server-side config to load custom JS.
Original issue reported on code.google.com by [email protected]
on 18 Jul 2012 at 7:14
install.sh trunk downloaded morning of 2012-01-30, on RHEL6.2 x86_64.
What steps will reproduce the problem?
1. Start with patched RHEL6.2 x86_64
2. install.sh node
3. install.sh web
Sphinx compile says:
WARNING: source 'bte_content': xmlpipe2 support NOT compiled in. To use
xmlpipe2, install missing XML libraries, reconfigure, and rebuild Sphinx
cron.pl says:
Couldn't require Transform::DNSDB : Can't locate URL/Encode.pm, etc.
/var/log/httpd/error_log says:
Couldn't require Transform::DNSDB : Can't locate AnyEvent/HTTP.pm
Fixes:
yum -y install expat-devel (don't know if you actually rely on sphinx expat
support; if you don't, then you should probably add a --disable-feature to
squelch the warning)
install perl modules AnyEvent::HTTP Net::CIDR::Lite URL::Encode
Plack::Builder::Conditionals (the script only installed base Plack::Builder)
Original issue reported on code.google.com by [email protected]
on 30 Jan 2012 at 4:38
What steps will reproduce the problem?
This works: host:172.16.0.1 +class:url limit:1000
This returns 0 results: 172.16.0.1 +class:url limit:10000
In reality, there are 1,460,234 records for this time period.
What is the expected output? What do you see instead?
I would expect to see 10,000 results or to have the query batched.
What version of the product are you using? On what operating system?
Latest SVN as of a couple of days ago, OEL 6.2
Original issue reported on code.google.com by [email protected]
on 25 Jul 2012 at 2:42
What steps will reproduce the problem?
Not sure how to reproduce beyond my setup, but I have an archlinux server
running the elsa node instance, and an Ubuntu 12.04 server running the
webserver instance.
I have bro running on the node server, and bro flatfiles go into syslog go into
elsa
What is the expected output? What do you see instead?
When I run queries, I expect to get a response. Instead (no matter what start
or end dates I put) I get the error:
Invalid start or end: Wed Dec 31 19:00:00 1969 Wed Dec 31 19:00:00 1969 at
/usr/local/elsa/web/lib/Query.pm line 656.
What version of the product are you using? On what operating system?
Latest from SVN on Ubuntu 12.04 and archlinux
Please provide any additional information below.
Both systems' clocks are synchronized with ntp.
Original issue reported on code.google.com by [email protected]
on 6 Jul 2012 at 5:41
apache2 is deprecated, FreeBSD now uses apache22, install.sh script should
reflect that
Original issue reported on code.google.com by [email protected]
on 20 Jun 2012 at 7:29
Is there a way to keep the original IP address from the forwarded syslog
messages?
I have configured the syslog-ng.conf file in /nodes/conf directory to include
an options {} parameter with the option of keep_hostname(yes) and
chain_hostname(no).
This doesn't seem to change anything in the ELSA database - Is there a better
way to do this or have I missed something?
Thanks.
Original issue reported on code.google.com by [email protected]
on 21 Mar 2012 at 11:12
I have a number of Fortinet FortiGate firewalls and would like to use this
system with their syslog output.
I tried to look at the patterndb.xml and was confused as to what needed to be
there to make this work.
Here is a couplf of the log entries that need to be parsed:
Feb 10 11:27:01 logsource kernel: date=2012-02-10 time=11:27:01
devname=CUSTID01-SITEID-FW device_id=FG100C999999999 log_id=13312
subtype=ftgd_allow type=webfilter pri=notice vd=VDOM policyid=44 identidx=1
serial=369298248 user=USER group=AD/GROUP src=10.1.2.3 sport=2163 src_port=2163
src_int=INT dst=4.3.2.1 dport=80 dst_port=80 dst_int=WAN service=http
hostname=col.stb.s-msn.com profiletype=Webfilter_Profile profile=PROFILE
status=passthrough req_type=referral
url=/i/79/65F987C952BDA0E84AE52464ADD59.jpg method=domain class=0 cat=41
cat_desc="Search Engines and Portals" carrier_ep=N/A msg="URL belongs to an
allowed category in policy" class_desc=N/A profilegroup=N/A
Feb 10 11:27:01 logsource kernel: date=2012-02-10 time=11:27:01
devname=CUSTID01-SITEID-FW device_id=FGT80C9999999999 log_id=2 subtype=allowed
type=traffic pri=notice vd=VDOM dir_disp=org tran_disp=snat src=10.1.2.3
srcname=10.1.2.3 src_port=53624 dst=4.3.2.2 dstname=4.3.2.2 dst_port=80
tran_ip=5.4.3.2 tran_port=49648 service=80/tcp proto=6 app_type=N/A
duration=120 rule=49 policyid=49 identidx=0 sent=1221 rcvd=2062
shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 sent_pkt=7 rcvd_pkt=6
src_int=INT dst_int=WAN SN=16349534 app=N/A app_cat=N/A carrier_ep=N/A vpn=N/A
status=accept user=N/A group=N/A shaper_sent_name=N/A shaper_rcvd_name=N/A
perip_name=N/A
If I could get one or more pattern examples, I could work on others. The
fields and properties are not yet fully documented so am not sure of a starting
point.
Original issue reported on code.google.com by [email protected]
on 10 Feb 2012 at 5:32
There are 2000 records/logs in ELSA WEB. but i am able to view only 100
logs/records. how to view more than 100 records in ELSA web. if i choose to
download report i am getting those 100 records only.
do i need to change any configs to view all the logs?
Kindly suggest !!
Original issue reported on code.google.com by [email protected]
on 24 Jul 2012 at 7:49
What steps will reproduce the problem?
1. Load the Admin > Stats page
2. Observe "Queries per User" and "Queries" graphs loading, but all others
missing
3. Click a "Save chart as" link where there is no graph, receive a "TypeError:
Object doesn't support this property or method" error
What is the expected output? What do you see instead?
I expect all graphs to be displayed, only "Queries per User" and "Queries"
display instead
What version of the product are you using? On what operating system?
ELSA r354 on Red Hat Enterprise 6
Please provide any additional information below.
A few times on previous versions I've seen all graphs functioning fine, after
the latest update we did (From a few days ago, not sure which version) we're
back to having only two graphs show.
Original issue reported on code.google.com by [email protected]
on 24 Jul 2012 at 1:35
I am not the most knowledgeable person when it comes to linux/apache. I need to
run ELSA on the same apache2 as cacti. Is there a way to change the port ELSA
uses?
Thanks!
Original issue reported on code.google.com by [email protected]
on 28 Feb 2012 at 9:55
I have read Cisco's syslogs are supported by ELSA, is there anything I need to
turn configure for that functionality?
-Thanks!
Original issue reported on code.google.com by [email protected]
on 1 Mar 2012 at 11:55
What steps will reproduce the problem?
1. SSHD message send to syslog
What is the expected output? What do you see instead?
Parsed sshd logs
What version of the product are you using? On what operating system?
SVN checkout of ELSA.
syslog-ng 3.3.5
Please provide any additional information below.
Hi a get the following error when parsing this log line:
* ERROR [2012/05/14 15:38:21] /srv/syslogdata/elsa/node/elsa.pl (219)
main::_process_batch 1243 Unable to parse valid class id from log line
1336999101 10.30.1.1 sshd system Failed password for root from 172.16.1.2 port
51058 ssh2 . Only parsed into:
$VAR1 = [
'1336999101',
'10.30.1.1',
'sshd',
'system',
'Failed password for root from 172.16.1.2 port 51058 ssh2'
];
Is there an invalid class id somewhere?? How can I find it?
Thank you
Original issue reported on code.google.com by [email protected]
on 14 May 2012 at 12:45
It would be great if we could get some Archlinux support, as all my personal
and development servers are running on Arch.
I plan to take a look at the installer script and modify it for use with
Archlinux by the end of the week. I'll post what I've got and hopefully get it
pulled into the project. :)
Original issue reported on code.google.com by [email protected]
on 18 Jun 2012 at 7:06
What steps will reproduce the problem?
1. Install ELSA with the install.sh script
2. Try to open the web interface
What is the expected output? What do you see instead?
I expected to see the web interface but insteed I get a "Internal Server Error"
In the /var/log/apache2/error.log I get the message:
" Can't use string ("Access denied for user 'elsa'@'l") as an ARRAY ref while
"strict refs" in use at /usr/local/elsa/web/lib/API.pm line 1349.\n"
There seems to be an error in the error handling code at line 1349.
The moste strange part is the "Access denied" error since I just tried to use
ELSA out of the box after installing it. Without any further modifications.
What version of the product are you using? On what operating system?
My OS : Linux debian 2.6.32-5-amd64 #1 SMP Mon Jan 9 20:49:59 UTC 2012 x86_64
GNU/Linux
ELSA version I guess it is the last one since it was downloaded by the
"install.sh" script. Installation done on Sunday 22 January 2012
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 22 Jan 2012 at 6:27
Please consider adding a feature to store a fixed amount of logs (by date), in
order to meet requirements such as PCI. Thanks.
Original issue reported on code.google.com by [email protected]
on 29 May 2012 at 2:41
What version of the product are you using? On what operating system?
elsa.0.1.1
Debian 6.0.1
Please provide any additional information below.
Hi, after installing I get an error on the homepage (for about everything I'm
doing).
The error is : Janus connection timed out after 15 seconds, alarm at
/usr/local/elsa/web/lib/Web.pm line 109.
Could you help me somewhat as to where I might look to actually debug where the
issue is located?
Original issue reported on code.google.com by [email protected]
on 12 Jul 2011 at 4:33
What steps will reproduce the problem?
1. Get results for Class = ANY
What is the expected output? What do you see instead?
Return all classes logs
What version of the product are you using? On what operating system?
SVN checkout of ELSA.
syslog-ng 3.3.5
Please provide any additional information below.
Received query with qid 2180 at 1337084276.6769
* DEBUG [2012/05/15 15:17:56] /srv/syslogdata/elsa/web/lib/API.pm (2831)
API::_parse_query_string 1963 [undef]
orig_parsed_query: $VAR1 = {
'' => [
{
'value' => 'ANY',
'op' => '=',
'field' => 'class'
}
]
};
* DEBUG [2012/05/15 15:17:56] /srv/syslogdata/elsa/web/lib/API.pm (3203)
API::_parse_query_term 1963 [undef]
terms: $VAR1 = {
'' => [
{
'value' => 'ANY',
'field' => 'class',
'op' => '='
}
]
};
* ERROR [2012/05/15 15:17:56] /srv/syslogdata/elsa/web/lib/Web/Query.pm (37)
Web::Query::call 1963 [undef]
Unknown class ANY at /srv/syslogdata/elsa/web/lib/API.pm line 3261.
Is class=ANY query able to execute?
kind regards,
thanasys
Original issue reported on code.google.com by [email protected]
on 15 May 2012 at 12:21
What steps will reproduce the problem?
1. load web UI
2. enter a query for "traffic"
3. enter a time period
What is the expected output? What do you see instead?
successful query, instead getting a box saying "query failed"
What version of the product are you using? On what operating system?
Installed March 19 from install.sh script on RHEL 5 i386
Please provide any additional information below.
I think this issue may be related to issue 7. I have verified the backend
similarly to issue 7 and when I submit a query on teh web UI get a query failed
problem. Here is the output from web.log
Original issue reported on code.google.com by [email protected]
on 23 Mar 2012 at 9:57
Attachments:
What steps will reproduce the problem?
1. default install with install.sh on ubuntu server 10.04LTS
2. point firewall syslog data toward elsa
3. search for host=firewallipaddress
What is the expected output? What do you see instead?
Show near 30million results. Shows 30million results but takes 15 seconds to
return data. Running top on the physical host, an 8 proc machine with 16GB of
memory shows only one processor pegging at 100% running process searchd.
What version of the product are you using? On what operating system?
latest deploy from SVN - deployed April 27th 2012. Ubuntu 10.04 LTS
Please provide any additional information below.
I thought searchd was multithreaded?
Original issue reported on code.google.com by [email protected]
on 2 May 2012 at 3:02
What steps will reproduce the problem?
1. Snare logs send to syslog
2.
3.
What do you see instead?
in node.log:
* ERROR [2012/04/30 14:04:14] /srv/syslogdata/elsa/node/elsa.pl (219)
main::_process_batch 2920 Unable to parse valid class id from log line
1335783854 10.30.4.19 AD-2.tacs.local Security unknown Apr 30
14:04:13 2012|4634|Microsoft-Windows-Security-Auditing|opennms|N/A|Success
Audit|AD-2.tacs.local|None||An account was logged off. Subject: Security
ID: S-1-5-21-212409339-82824776-3791047695-1127 Account Name: opennms
Account Domain: TACS Logon ID: 0x91366d0 Logon Type: 3 This event
is generated when a logon session is destroyed. It may be positively correlated
with a logon event using the Logon ID value. Logon IDs are only unique between
reboots on the same computer.|240487
. Only parsed into:
$VAR1 = [
'1335783854',
'10.30.4.19',
'AD-2.tacs.local',
'Security',
'unknown',
'Apr 30 14:04:13 2012|4634|Microsoft-Windows-Security-Auditing|opennms|N/A|Success Audit|AD-2.pacs.local|None||An account was logged off. Subject: Security ID: S-1-5-21-212409339-82824776-3791047695-1127 Account Name: opennms Account Domain: TACS Logon ID: 0x91366d0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.|240487 '
];
SVN checkout of ELSA.
syslog-ng 3.3.5
On what operating system?
Debian Squeeze
All snare logs are getting this error in node.log
Original issue reported on code.google.com by [email protected]
on 30 Apr 2012 at 11:08
Opening the ELSA page gives a pop-up window stating that the log server cannot
be contacted. The log server is on the web server.
Running Ubuntu 12.04 LTS. Is that the problem?
ps aux | grep syslog shows that syslog-ng is running.
And the displayed web page does not show a page like your screenshots do on the
ELSA wiki.
Original issue reported on code.google.com by [email protected]
on 12 Jul 2012 at 11:46
What steps will reproduce the problem?
Query something like a firewall log :
host:172.16.0.1 FIREWALL_CONNECTION_END.dstip=172.16.0.2 +"Connection timeout"
limit:1000
Select Report On, All Classes, Hour
A bar graph will be generated with values; however, when you hover over the
graph and click on it, the number of results returned does not match the value
in the bar graph. This isn't a limitation of the number of results returned, as
in my case there were few.
Sometimes clicking on a bar results in 0 results returned once or twice, but
then the third time the data is returned. When this happens, the 0 result comes
back almost immediately, as if it's really not trying to search.
Below is an example of the bar graph value vs. the results value (when it did
return results). I don't see a pattern, but maybe you so:
Beginning at 2012-06-14 18:00:00, descending:
Bar graph:result of clicking on that bar
46:47
2:13
16:9
3:10
47:20
42:45
60:56
47:49
35:47
19:24
27:20
23:28
21:23
21:18
31:29
17:22
24:22
17:28
What is the expected output? What do you see instead?
I expect the values to match. I wonder which one is accurate.
What version of the product are you using? On what operating system?
Latest build as of 6/14; RHEL (actually Oracle Unbreakable (cough) Linux)
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 15 Jun 2012 at 12:50
To avoid tab clutter, it would be nice to have a quick way to toggle whether to
search in the same tab or to open a new tab. Thanks.
Original issue reported on code.google.com by [email protected]
on 24 Jun 2012 at 8:40
What steps will reproduce the problem?
1. set auth "method" : "local" in elsa_web.conf;
2. every user "is admin", because array "admin_groups" : [ "system", "admin" ]
is not matched;
3. set permission to user for one class_id is not working, the user have all
classes in "Add Term" and "Report On" dropdown.
What is the expected output? What do you see instead?
The user that is not admin, don't have the "Admin" tab.
The user that have some permission/restriction, have only some classes in "Add
Term" and "Report On" dropdown
What version of the product are you using? On what operating system?
last elsa r161,
debian 6.0
Please provide any additional information below.
In the older version of elsa (the one with Janus) all works fine.
Original issue reported on code.google.com by [email protected]
on 17 Jan 2012 at 5:03
What steps will reproduce the problem?
1. submit Query
3.
What is the expected output? What do you see instead?
Instead of the search results we receive a error-message "No nodes available at
/usr/local/elsa/web/lib/API.pm line 1770"
What version of the product are you using? On what operating system?
Elsa: Release 326
OS: Ubuntu 10.04.4 LTS
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 28 Jun 2012 at 2:45
On FreeBSD /bin/sh is NOT bash, therefore it needs to be 'variable=value' and
not 'variable = value', patch attached.
Original issue reported on code.google.com by [email protected]
on 21 Jun 2012 at 7:41
Attachments:
*What steps will reproduce the problem?*
1. wget
"http://enterprise-log-search-and-archive.googlecode.com/svn/trunk/elsa/contrib/
install.sh"
2. $http_proxy is set but not $https_proxy
3. sh -c "sh install.sh"
*What do you see instead?*
# sh -c "sh install.sh node"
Assuming distro to be centos
Executing centos_get_node_packages
Loaded plugins: fastestmirror, refresh-packagekit
Loading mirror speeds from cached hostfile
* base: centos.cict.fr
* epel: be.mirror.eurid.eu
* extras: centos.bio.lmu.de
* rpmforge: apt.sw.be
* updates: centos.bio.lmu.de
Setting up Update Process
No Packages marked for Update
Loaded plugins: fastestmirror, refresh-packagekit
Ignored option -q, -v, -d or -e (probably due to merging: -yq != -y -q)
Loading mirror speeds from cached hostfile
* base: centos.cict.fr
* epel: be.mirror.eurid.eu
* extras: centos.bio.lmu.de
* rpmforge: apt.sw.be
* updates: centos.bio.lmu.de
Setting up Install Process
Package flex-2.5.35-8.el6.x86_64 already installed and latest version
Package bison-2.4.1-5.el6.x86_64 already installed and latest version
Package ntpdate-4.2.4p8-2.el6.centos.x86_64 already installed and latest version
Package 4:perl-5.10.1-119.el6_1.1.x86_64 already installed and latest version
Package 4:perl-devel-5.10.1-119.el6_1.1.x86_64 already installed and latest
version
Package curl-7.19.7-26.el6_2.4.x86_64 already installed and latest version
Package 1:make-3.81-19.el6.x86_64 already installed and latest version
Package subversion-1.6.11-2.el6_1.4.x86_64 already installed and latest version
Package gcc-4.4.6-3.el6.x86_64 already installed and latest version
Package gcc-c++-4.4.6-3.el6.x86_64 already installed and latest version
Package mysql-server-5.1.61-1.el6_2.1.x86_64 already installed and latest
version
Package mysql-libs-5.1.61-1.el6_2.1.x86_64 already installed and latest version
Package mysql-devel-5.1.61-1.el6_2.1.x86_64 already installed and latest version
No package pkg-config available.
Package 1:pkgconfig-0.23-9.1.el6.x86_64 already installed and latest version
Package pcre-devel-7.8-3.1.el6.x86_64 already installed and latest version
Package libcap-devel-2.16-5.5.el6.x86_64 already installed and latest version
Package libnet-devel-1.1.5-1.el6.x86_64 already installed and latest version
Package openssl-devel-1.0.0-20.el6_2.4.x86_64 already installed and latest
version
No package libopenssl-devel available.
Package glib2-devel-2.22.5-6.el6.x86_64 already installed and latest version
Nothing to do
centos_get_node_packages success
Executing set_date
Error : Name or service not known
25 May 17:29:45 ntpdate[26389]: can't find host time.nist.gov
25 May 17:29:45 ntpdate[26389]: no servers can be used, exiting
set_date success
Executing check_svn_proxy
http_proxy set, verifying subversion is setup accordingly...
http-proxy-host = 10.0.0.1
check_svn_proxy success
Executing build_node_perl
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 301 0 301 0 0 449 0 --:--:-- --:--:-- --:--:-- 455
curl: (6) Couldn't resolve host 'raw.github.com'
install.sh: line 229: cpanm : commande introuvable
install.sh: line 234: cpanm : commande introuvable
install.sh: line 240: cpanm : commande introuvable
Retry 1
install.sh: line 240: cpanm : commande introuvable
Retry 2
install.sh: line 240: cpanm : commande introuvable
Retry 3
build_node_perl FAIL
*What version of the product are you using? On what operating system?*
$ lsb_release -a
LSB Version:
:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-
4.0-amd64:printing-4.0-noarch
Distributor ID: CentOS
Description: CentOS release 6.2 (Final)
Release: 6.2
Codename: Final
*Please provide any additional information below.*
# echo $PATH
/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/b
in:/root/bin
# perl -v
This is perl, v5.10.1 (*) built for x86_64-linux-thread-multi
# cpan -v
/usr/bin/cpan script version 1.9, CPAN.pm version 1.9402
# env|grep proxy
http_proxy=http://myuser:[email protected]:8080/
* Patch *
- Add check_https_proxy
- use check_https_proxy for install and update
Patch : http://codereview.appspot.com/6245054/patch/1/2
Original issue reported on code.google.com by [email protected]
on 25 May 2012 at 4:19
What steps will reproduce the problem?
1. Go to "Documentation" in the wiki
2. Ctrl+F Snort
3. Notice there is not any information on getting Snort data into ELSA.
What is the expected output? What do you see instead?
I expect some documentation on how to get Snort data into ELSA.
Instead I just see info that there is a snort plugin.
What version of the product are you using? On what operating system?
Latest SVN on Arch Linux.
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 23 Jul 2012 at 4:45
1. if I add a node config to the elsa_web.conf file, the web server doesn't
load. There's no documentation regarding proper syntax and no particular error
in the log indicating the issue.
2. Why is syslogd still listening on UDP 514 if the installation installs
syslog-ng? Does this cause a conflict? Where are all the log destinations so I
can check.
3. There's no explanation of how the node is supposed to connect to the web
host or versa. I'm guessing it hits the database.
4. I'm not an idiot and have worked with lots of open source software, but this
lack of documentation is ridiculous and make the package unusable.
Original issue reported on code.google.com by [email protected]
on 13 Apr 2012 at 11:59
I've noticed that you slightly modified the syslog-ng init script. I also
noticed that there is no reload option, which I think most distros implement by
HUPing the daemon. I'm having a problem where the firewall log stays at zero
bytes after being compressed by logrotate, even after trying the delaycompress
option. Since the firewall log starts growing again after a restart of
syslog-ng, I imagine putting in a function (already written on the interwebs)
to HUP syslog-ng via a reload argument might fix it. Then people could put that
in the postrotate section of their logrotate configuration.
Original issue reported on code.google.com by [email protected]
on 24 Jun 2012 at 3:09
Hello,
I was reading you installation document and found that you are depending on
Authen::Simple::PAM.
PAM is not available on all operating systems or Linux distros.
Instead such users modifying the code to authenticate against different mode,
could you make the authentication more modular? Authentication mode could be
defined in a configuration file and then according to definition particular
Authen::Simple::.... module would be used.
This would make your code more portable.
Thank you for taking this into mind.
jirib
Original issue reported on code.google.com by [email protected]
on 18 Feb 2012 at 4:19
I am looking through the logs and noticed that the log source is not properly
parsed for Windows 2008 logs.
I see stuff like this:
source=An account was successfully logged on. Subject
source=An account was logged off. Subject
source=Special privileges assigned to new logon. Subject
I am using evtsys (http://code.google.com/p/eventlog-to-syslog/) to send the
logs from Windows 2008 to my syslog server.
Is this a problem with the evtsys logs being sent or a problem in the parser?
Original issue reported on code.google.com by [email protected]
on 23 Feb 2012 at 4:52
I have loaded a node and a web using the install.sh script and when I tail
/var/log/elsa/node.log I get what looks like proper activity as far as I can
tell. I am attaching an excerpt from node.log so you can see if I am missing
something.
There are definitely lots of logs arriving on the system as verified by tcpdump.
Yes, no matter what query I do I always get an empty result set even using an
IP that I have seen with tcpdump as having arrived from evtsys on a windows
server. I have other firewall logs which the system does not know how to parse
which I expect at this time to be missing.
Also, the stats pages shows no information on the graphs for stats: load,
stats: index and stats: archive.
Something seems to be awry but I am not sure how to best troubleshoot.
Can you please help me sort this out?
Original issue reported on code.google.com by [email protected]
on 10 Feb 2012 at 5:41
Attachments:
Either:
1. Have the ability to hide menu items for devices not used in one's
environment.
Or:
2. Build the menu from logs that have been received and recognized by ELSA,
with the option to override this if something has been spuriously received
and/or retired.
Thanks.
Original issue reported on code.google.com by [email protected]
on 2 Jun 2012 at 12:34
What steps will reproduce the problem?
1.I am trying to install NODE on one server & WEB on other server.
2. Both servers are having Ubuntu Server 12.04 LTS OS.
3. I am using ELSA Quickstart script to do the above
Please provide any additional information below.
NODE SERVER :
i am running the below scripts:
wget
"http://enterprise-log-search-and-archive.googlecode.com/svn/trunk/elsa/contrib/
install.sh"
sudo sh -c "sh install.sh node"
Installation is Success without any error!!
WEB SERVER :
i am running the below scripts:
wget
"http://enterprise-log-search-and-archive.googlecode.com/svn/trunk/elsa/contrib/
install.sh"
sudo sh -c "sh install.sh web"
when i am running this script in NODE server, i am getting the below Error &
installation FAILS:
A elsa/web/inc/chart.js
A elsa/web/inc/graphAnything.js
A elsa/web/cron.pl
Exported revision 335.
get_elsa success
Executing set_web_mysql
ERROR 2002 (HY000): Can't connect to local MySQL server through socket
'/var/run/mysqld/mysqld.sock' (2)
mysqladmin: connect to server at 'localhost' failed
error: 'Can't connect to local MySQL server through socket
'/var/run/mysqld/mysqld.sock' (2)'
Check that mysqld is running and that the socket: '/var/run/mysqld/mysqld.sock'
exists!
set_web_mysql FAIL
ise@elsaweb:~$
ise@elsaweb:~$
Are there any configuration changes to be done in the Script if we install NODE
& WEB on different machines??
CAN YOU HELP !!
Original issue reported on code.google.com by [email protected]
on 9 Jul 2012 at 10:07
I am trying to create an alert from a query result and have just recently
updated from CVS.
I am getting the following error in a popup every time I try to create an alert:
Invalid args, missing arg: connector
Additionally, when I try to look at the schedule Alerts from the ELSA drop-down
menu, I get an error in the table saying "Data error"
Original issue reported on code.google.com by [email protected]
on 23 Feb 2012 at 5:13
What steps will reproduce the problem?
1. Configure local iptables to log to local syslog on host to collect logs from
2. Forward those logs via syslog to Elsa log server
3. Validate that this much is working (tcpdump, etc.)
What is the expected output? What do you see instead?
Expectation is to have those syslog streams processed by syslog-ng/elsa.pl,
inserted into MySQL, indexed by Sphinx, and searchable in Elsa web interface.
In this example, I'm using iptables as search criteria since it seems to be
most problematic.
Instead, only sporadic entries from random hosts make it into the MySQL
database through Syslog/elsa.pl.
What version of the product are you using? On what operating system?
Obtained from install.sh (this is the info you need?)
Eventlog Version 0.2.12
Syslog version 3.2.4
OS is RHEL Server 6.2
Please provide any additional information below.
I have two elsa web servers and two elsa log servers. Rsyslog is used around
the network to forward all activity from those servers to the loggers. Those
loggers are indeed seeing specifically the iptables log hits from the network,
but only 3 of many hosts have their logs recorded in the database, etc.
I need help debugging the middleware so to speak. Lots of references to files
in other issues, such as update-from-svn.sh, the syslog-ng.log file, and the
commands you guys use to debug this are either not present or not apparent.
Many thanks in advance!
Original issue reported on code.google.com by [email protected]
on 12 Apr 2012 at 7:31
A recent update requires new perl modules that are not pulled in by install.sh:
MooseX::Storage
MooseX::Log::Log4perl
MooseX::Clone
Plack::Middleware::NoMultipleSlashes
Original issue reported on code.google.com by [email protected]
on 19 Jun 2012 at 9:09
I now have logs loading and can see them in the syslog and syslog_data tables.
But nothing I have tried shows any results in the Web UI so far.
I see there is data being parsed into some fields properly but just nothing
coming back to the Web UI.
I have tried to query for stuff that I know is in the syslogs_index_1 table and
I get nothing back.
What information is needed to help troubleshoot this?
Original issue reported on code.google.com by [email protected]
on 13 Feb 2012 at 10:58
What steps will reproduce the problem?
1. Install ELSA with the install.sh script on a distribution like Debian Squeeze
2.
3.
What is the expected output? What do you see instead?
Install abort because update-rc.d refuses to install init scripts that are not
LSB compliant.
This is an example of an LSB searchd script:
http://www.notsofaqs.com/catsdoc/doku.php?id=sphinx:install
What version of the product are you using? On what operating system?
Debian squeeze
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 22 Feb 2012 at 10:26
What steps will reproduce the problem?
1. Windows 2003 Chinese with "eventlog_to_syslog" (UTF-8)
2. ELSA display garbage character
3. change browser's encoding not work
4. Change the character set of MySQL Database and tables not work
What is the expected output? What do you see instead?
What version of the product are you using? On what operating system?
ELSA installed by script on Ubuntu 12.04
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 4 May 2012 at 3:02
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.