Re: [security-onion] Elsa email alerts
Martin Holste
Maybe this should be in the elsa group so forgive me if so. Is there a way to setup email alerts in elsa that contain the alerts in the body of the email instead of just a link to the alert in elsa? This would be helpful when viewing on a phone or when I don't have access to the web server.
This is what I am referring to:
2 results for query "User Account Changed" http://elsa//get_results?qid=78&hash=25af6174a0fcecc4d346680a72b7ce644b9a88e8
Thanks!
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.
Martin Holste
Thanks for your response Martin. Obviously I would love to see it on the roadmap if others would find this useful. In the interim I will use swatch or something to get the alerts I need.
Martin Holste
Works beautifully!
For those of you who want to enable this on a fresh install of SO 12.04 I had to do the following:
wget "http://enterprise-log-search-and-archive.googlecode.com/svn/trunk/elsa/contrib/install.sh"
sudo cpan
o conf prerequisites_policy follow
o conf commit
install App::cpanminus
quit
edit install.sh and change the BASE_DIR to:
BASE_DIR="/opt"
edit elsa_web.conf
sudo sh -c "sh install.sh node && sh install.sh web"
......
"subject": "ELSA Alert",Thanks Martin!
"include_data": "true"
Andy Hunt
I would also like to setup ELSA to include alert data in it's emails instead of just a link to the report. It looks like the install.sh file link is no longer good. Can you please advise on how to update ELSA to get this function working?
Doug Burks
This email thread is from 2013 and our current ELSA packages should
have the latest code from Martin's github repo. Are you sure you're
running a fully updated box?
On Tue, Jun 20, 2017 at 12:09 PM, Andy Hunt <andy...@gmail.com> wrote:
> Martin,
>
> I would also like to setup ELSA to include alert data in it's emails instead of just a link to the report. It looks like the install.sh file link is no longer good. Can you please advise on how to update ELSA to get this function working?
>
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Andy Hunt
Thank you for the quick reply. I installed SO from the ISO image (and ran soup) so I should be all up to date. It's possible the formatting of this config has changed since this thread was created. The config does not contain the string "include_data" anywhere in it. By chance do you know the modifications needed to change this config to send the data instead of a link?
Doug Burks
> Doug,
>
> Thank you for the quick reply. I installed SO from the ISO image (and ran soup) so I should be all up to date. It's possible the formatting of this config has changed since this thread was created. The config does not contain the string "include_data" anywhere in it. By chance do you know the modifications needed to change this config to send the data instead of a link?
section of your /etc/elsa_web.conf:
If you wish to get the actual results from an alert, in addition to a
link to the results, add the following config to the email section:
"email": { "include_data": 1 }
https://github.com/mcholste/elsa/wiki/Documentation#elsa_webconf
--
Doug Burks
Andy Hunt
Thanks again for the very prompt reply. I took a look at the link that you gave me and applied the settings to my /etc/elsa_web.conf file. However this setting did not seem to make any impact on the reports. I also was sure to restart the NSM service and even reboot the PC. I did have to make one minor change to the configuration, and that was to add a , after the subject link in the config. Please see the config output below and let me know if there are any obvious errors:
"email": {
"display_address": "REDACTED",
"base_url": "https://192.168.51.252/elsa-query",
"smtp_server": "localhost",
"subject": "REDACTED",
"email": { "include_data": 1 }
},
Thank You!
-Andy
Doug Burks
"email": {
"display_address": "REDACTED",
"base_url": "https://192.168.51.252/elsa-query",
"smtp_server": "localhost",
"subject": "REDACTED",
},
sudo service apache2 restart
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Andy Hunt
It looks like we have made some progress. The email it generates now includes the link and a HASH code. Please see below for an example of one of these emails:
1 results for query class=BRO_HTTP "-" groupby:site REDACTED.com
https://192.168.51.252/elsa-query/get_results?qid=6181&hash=25af6174a0fcecc4d346680a72b7ce644b9a88e8
HASH(0x7095ba0)
I have rebooted and still have the alert generate the link and a similar code. Any ideas?
Thank You,
-Andy
Andy Hunt
Thank you for all the assistance you have provided me on this issue. I was able to figure out that any scheduled alert in ELSA that contains "groupby" would not send the details of the alert in the email. Simply removing "groupby" from the alert fixes this issue.
Thank You,
-Andy