ELSA Queries and Exporting/Emailing Results
Damon Rouse
I have a question about exporting BRO DNS data from an ELSA query. I'm looking to export reports (class=BRO_DNS dstport="53") on a daily or weekly basis that can then be ran against some other tools. For example, I just did a test for the last day and a half, this is what returned:
Records: 100 / 2680912 1845 ms
Is there a way to directly export a query with all results to one of the export data types (Excel, etc.)?
I also tried setting up ELSA to send email results from the batch, but the batch never returns results. Email received below:
0 results for query class=BRO_DNS dstport=53 limit:50000 https://SO-Server-IP/elsa//get_results?qid=1005&hash=25af6174a0fcecc4d346680a72b7ce644b9a88e8
Also, that link 404s for me. Below is my ELSA email config in elsa_web.conf:
"email": {
"smtp_server": "my smtp",
"to": "user...@blahblah.com",
"display_address": "ELSA-...@blahblah.com",
"base_url": "https://SO-Server-IP/elsa/",
"subject": "ELSA Alert"
},
Thanks and any help is really appreciated
Damon
Doug Burks
https://SO-Server-IP/elsa/ is just the list of canned ELSA query links
and doesn't actually accept queries itself. The actual ELSA query
page should be https://SO-Server-IP:3154.
--
Doug Burks
Damon Rouse
--
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/1Q43jHnPemM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Doug Burks
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Doug Burks
Doug Burks
No, it's just https://SO-Server-IP:3154 WITHOUT the trailing "/elsa/".
Doug Burks
Damon Rouse
Doug Burks
On Thu, Jun 19, 2014 at 7:56 PM, Damon Rouse <damon...@gmail.com> wrote:
> Thanks Doug
>
> While were on this, can you please help me with what's going on as I use
> limit and nobatch
>
> This query: BRO_DNS.dstport=53
> Returns this: Records: 100 / 2535683 5800 ms
>
> This query: BRO_DNS.dstport=53 limit:0
> Returns: Query 1021 has been submitted (batched) and results will be
> emailed (Haven't received the results yet. I made the base_url change and
> bounced apache)
this value via the timeout directive?
https://code.google.com/p/enterprise-log-search-and-archive/wiki/Documentation#Directives
> This query: BRO_DNS.dstport=53 limit:0 nobatch:1
> Returns: Records: 0 / 0 1323 ms
practical limit for the "limit" keyword is 9999 when run in nobatch
mode.