I use ELSA regularly, it wasn't disabled a week or so ago when I last used it.
The /etc/elsa_web.conf does exist, here are its contents.
Should I still run the command?
su@server:~$ sudo vi /etc/elsa_web.conf
[sudo] password for su:
"/etc/elsa_web.conf" 176L, 4171C{
"data_db": {
"db": "syslog",
"username": "elsa",
"password": "biglog"
},
"version": {
"Author": "mcholste",
"Date": "2014-07-17 15:12:58 -0700 (Thu, 17 Jul 2014)",
"Rev": "1205",
"Sphinx": "Sphinx 2.1.9"
},
"query_timeout": "55",
"transforms": {
"whois": { "known_subnets": { "10.0.0.0": { "end": "10.255.255.255", "org": "MyOrg" }, "192.168.0.0": { "end": "192.168.255.255", "org": "MyOrg" }, "172.16.0.0": { "end": "172.31.255.255", "org": "MyOrg" } }, "known_orgs": { "MyOrg": { "name": "MyOrg", "org": "MyOrg", "descr": "MyOrg", "cc": "US", "country": "United States", "city": "Anytown", "state": "Somestate" } }
},
"parse": { "tld": [ { "field": "domain", "pattern": "\\.([a-zA-Z]+)$", "extractions": [ "tld" ] }, {1,1Top2 }, { "field": "site", "pattern": "\\.([a-zA-Z]+)$", "extractions": [ "tld" ] }, { "field": "uri", "pattern": "\\.([a-zA-Z]+)(:|/|$)", "extractions": [ "tld" ] } ], "url": [ { "field": "uri", "pattern": "(?:(?<proto>[a-zA-Z]+)://)?(?:(?<username>[^/]+):(?<password>[^/]+)@)?(?<domain>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|[^/]+\\.(?<tld>[a-zA-Z]+))(?::(?<port>\\d+))??(?<resource>/[^?]*)?(?:\\?(?<query_string>.*))?$", "extractions": [ "proto", "username", "password", "domain", "tld", "port", "resource", "query_string" ] } ], "mimetype": [ { "field": "msg", "pattern": "[\"'\\(\\[\\s\\|;:](?<mime>(?<type>application|audio|chemical|image|message|model|multipart|text|video)/(?<subtype>[\\w-_]+))[\"'\\)\\]\\s\\|;:]", "extractions": [ "mime", "type", "subtype" ] } ]
}
},
"apikeys": {
"elsa": "redacted"
},
"peers": {
"127.0.0.1": {50,938% "peers": {
"127.0.0.1": { "url": "
https://127.0.0.1:3154/", "username": "elsa", "apikey": "redacted"
}
},
"admin_email_address": "root@localhost",
"connectors": {
},
"dashboards": {
},
"datasources": {
},
"plugins": {
"SNORT": "Info::Snort",
"WINDOWS": "Info::Windows",
"URL": "Info::Url",
"BRO_NOTICE": "Info::Bro"
},
"info": {
"snort": { "url_templates": [ "
http://doc.emergingthreats.net/bin/view/Main/%d" ]
},
"url": { "url_templates": [ "
http://whois.domaintools.com/%s" ]
},
"windows": { "url_templates": [ "
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=%d" ]
}
},
"max_concurrent_archive_queries": 4,
"schedule_interval": 60,
"node_info_cache_timeout": 60,
"email": {
"display_address": "
norepl...@example.com",
"base_url": "
http://elsa/",
"subject": "ELSA Alert"
},
"link_key": "secret",
"yui": {
"local": "inc"
},
"meta_db": {
"dsn": "dbi:mysql:database=elsa_web",98,377% "meta_db": {
"dsn": "dbi:mysql:database=elsa_web",
"username": "redacted",
"password": "redacted"
},
"auth": {
"method": "security_onion"
},
"admin_groups": [
"system",
"admin"
],
"auth_db": {
"dsn": "dbi:mysql:database=securityonion_db",
"username": "redacted",
"password": "",
"auth_statement": "SELECT PASSWORD(password) FROM user_info WHERE username=?",
"email_statement": "SELECT email FROM user_info WHERE username=?"
},
"peer_id_multiplier": 1000000000000,
"pcap_url": "
https://192.x.x.x/capme",
"logdir": "/nsm/elsa/data/elsa/log",
"buffer_dir": "/nsm/elsa/data/elsa/tmp/buffers",
"debug_level": "TRACE",
"default_start_time_offset": 2,
"livetail": {
"poll_interval": 5,
"time_limit": 3600
}
}
~