djebbibmw / enterprise-log-search-and-archive Goto Github PK

apache2 is deprecated, FreeBSD now uses apache22, install.sh script should 
reflect that

What steps will reproduce the problem?

This works: host:172.16.0.1 +class:url limit:1000 

This returns 0 results: 172.16.0.1 +class:url limit:10000

In reality, there are 1,460,234 records for this time period.

What is the expected output? What do you see instead?

I would expect to see 10,000 results or to have the query batched.

What version of the product are you using? On what operating system?

Latest SVN as of a couple of days ago, OEL 6.2

1. if I add a node config to the elsa_web.conf file, the web server doesn't 
load. There's no documentation regarding proper syntax and no particular error 
in the log indicating the issue.

2. Why is syslogd still listening on UDP 514 if the installation installs 
syslog-ng? Does this cause a conflict? Where are all the log destinations so I 
can check.

3. There's no explanation of how the node is supposed to connect to the web 
host or versa. I'm guessing it hits the database. 

4. I'm not an idiot and have worked with lots of open source software, but this 
lack of documentation is ridiculous and make the package unusable. 

This is more of a nice-to-have than anything else. It would be useful to have 
an icon or drop-down of some sort next to the "From" and "To" fields in order 
to select a date and maybe time.

What steps will reproduce the problem?
1. Windows 2003 Chinese with "eventlog_to_syslog" (UTF-8)
2. ELSA display garbage character
3. change browser's encoding not work
4. Change the character set of MySQL Database and tables not work 

What is the expected output? What do you see instead?

What version of the product are you using? On what operating system?

ELSA installed by script on Ubuntu 12.04

Please provide any additional information below.

What steps will reproduce the problem?
1.I am trying to install NODE on one server & WEB on other server.
2. Both servers are having Ubuntu Server 12.04 LTS OS.
3. I am using ELSA Quickstart script to do the above

Please provide any additional information below.
NODE SERVER :

i am running the below scripts:
wget 
"http://enterprise-log-search-and-archive.googlecode.com/svn/trunk/elsa/contrib/
install.sh"

sudo sh -c "sh install.sh node"
Installation is Success without any error!!

WEB SERVER :

i am running the below scripts:
wget 
"http://enterprise-log-search-and-archive.googlecode.com/svn/trunk/elsa/contrib/
install.sh"
sudo sh -c "sh install.sh web"

when i am running this script in NODE server, i am getting the below Error & 
installation FAILS:

A    elsa/web/inc/chart.js
A    elsa/web/inc/graphAnything.js
A    elsa/web/cron.pl
Exported revision 335.
get_elsa success
Executing set_web_mysql
ERROR 2002 (HY000): Can't connect to local MySQL server through socket 
'/var/run/mysqld/mysqld.sock' (2)
mysqladmin: connect to server at 'localhost' failed
error: 'Can't connect to local MySQL server through socket 
'/var/run/mysqld/mysqld.sock' (2)'
Check that mysqld is running and that the socket: '/var/run/mysqld/mysqld.sock' 
exists!
set_web_mysql FAIL
ise@elsaweb:~$ 
ise@elsaweb:~$

Are there any configuration changes to be done in the Script if we install NODE 
& WEB on different machines?? 

CAN YOU HELP !!

What steps will reproduce the problem?
1. Install ELSA with the install.sh script
2. Try to open the web interface


What is the expected output? What do you see instead?
I expected to see the web interface but insteed I get a "Internal Server Error"
In the /var/log/apache2/error.log I get the message: 
" Can't use string ("Access denied for user 'elsa'@'l") as an ARRAY ref while 
"strict refs" in use at /usr/local/elsa/web/lib/API.pm line 1349.\n" 
There seems to be an error in the error handling code at line 1349. 
The moste strange part is the "Access denied" error since I just tried to use 
ELSA out of the box after installing it. Without any further modifications. 

What version of the product are you using? On what operating system?
My OS : Linux debian 2.6.32-5-amd64 #1 SMP Mon Jan 9 20:49:59 UTC 2012 x86_64 
GNU/Linux
ELSA version I guess it is the last one since it was downloaded by the 
"install.sh" script. Installation done on Sunday 22 January 2012

Please provide any additional information below.

From the Web UI, I can search for "1" and see a specific record, for which the 
program field is something like: "%cdp-3-updown".

My problem (maybe I am going about it the wrong way) is that I can search for 
the keyword 'up' or 'down' but never 'updown' or 'up +down'. The first two 
searches return results however the last two returns nothing.

How can I troubleshoot this problem?


Thanks.

I have loaded a node and a web using the install.sh script and when I tail 
/var/log/elsa/node.log I get what looks like proper activity as far as I can 
tell.  I am attaching an excerpt from node.log so you can see if I am missing 
something.

There are definitely lots of logs arriving on the system as verified by tcpdump.

Yes, no matter what query I do I always get an empty result set even using an 
IP that I have seen with tcpdump as having arrived from evtsys on a windows 
server.  I have other firewall logs which the system does not know how to parse 
which I expect at this time to be missing.

Also, the stats pages shows no information on the graphs for stats: load, 
stats: index and stats: archive.

Something seems to be awry but I am not sure how to best troubleshoot.

Can you please help me sort this out?

What steps will reproduce the problem?
We standardize on OpenSuse - the quick installer script is NOT working in our 
environment.
1. I build appliance using http://www.susestudio.com - where selected the base 
OS with the following packages ONLY

Patterns: NIL 

Packages:
bootsplash, ethtool, glibc-locale, grub, hwinfo, iputils, 
kernel-default, netcfg, net-tools, openssh, SuSEfirewall2,
syslog-ng, sysvinit, tcpdump, telnet, vim, yast2-firewall, 
yast2-firstboot, yast2-ncurses, zypper

- I am trying to install ALL-In-One (both node and web) in the same machine to 
try out. the script errors out during syslog related configuration (or) mysql.

- whereas your script is working properly on Ubuntu w/o error.

can you help -
1. while building appliance what are the packages required for ELSA to work as 
NODE / WEB / NODE & WEB.

I am building OpenSuse 12.1 appliance with the above packages alone selected.

What version of the product are you using? On what operating system?
elsa.0.1.1
Debian 6.0.1

Please provide any additional information below.
Hi, after installing I get an error on the homepage (for about everything I'm 
doing).
The error is : Janus connection timed out after 15 seconds, alarm at 
/usr/local/elsa/web/lib/Web.pm line 109. 
Could you help me somewhat as to where I might look to actually debug where the 
issue is located?

Hello,

I was reading you installation document and found that you are depending on 
Authen::Simple::PAM.

PAM is not available on all operating systems or Linux distros.

Instead such users modifying the code to authenticate against different mode, 
could you make the authentication more modular? Authentication mode could be 
defined in a configuration file and then according to definition particular 
Authen::Simple::.... module would be used.

This would make your code more portable.

Thank you for taking this into mind.

jirib

What steps will reproduce the problem?
1. Load the Admin > Stats page
2. Observe "Queries per User" and "Queries" graphs loading, but all others 
missing
3. Click a "Save chart as" link where there is no graph, receive a "TypeError: 
Object doesn't support this property or method" error


What is the expected output? What do you see instead?
I expect all graphs to be displayed, only "Queries per User" and "Queries" 
display instead


What version of the product are you using? On what operating system?
ELSA r354 on Red Hat Enterprise 6


Please provide any additional information below.
A few times on previous versions I've seen all graphs functioning fine, after 
the latest update we did (From a few days ago, not sure which version) we're 
back to having only two graphs show.

What steps will reproduce the problem?
1. SSHD message send to syslog

What is the expected output? What do you see instead?
Parsed sshd logs


What version of the product are you using? On what operating system?
SVN checkout of ELSA.
syslog-ng 3.3.5

Please provide any additional information below.
Hi a get the following error when parsing this log line:

* ERROR [2012/05/14 15:38:21] /srv/syslogdata/elsa/node/elsa.pl (219) 
main::_process_batch 1243 Unable to parse valid class id from log line 
1336999101  10.30.1.1   sshd    system  Failed password for root from 172.16.1.2 port 
51058 ssh2                                              .  Only parsed into:
$VAR1 = [
          '1336999101',
          '10.30.1.1',
          'sshd',
          'system',
          'Failed password for root from 172.16.1.2 port 51058 ssh2'
        ];

Is there an invalid class id somewhere?? How can I find it?

Thank you

Is it possible to present a pie chart a showing percentages when a query is 
launched?

What steps will reproduce the problem?
1. set auth "method" : "local" in elsa_web.conf;
2. every user "is admin", because array "admin_groups" : [ "system", "admin" ] 
is not matched;
3. set permission to user for one class_id is not working, the user have all 
classes in "Add Term" and  "Report On" dropdown.  

What is the expected output? What do you see instead?
The user that is not admin, don't have the "Admin" tab.
The user that have some permission/restriction, have only some classes in "Add 
Term" and "Report On" dropdown   

What version of the product are you using? On what operating system?
last elsa r161,
debian 6.0

Please provide any additional information below.
In the older version of elsa (the one with Janus) all works fine.

I am looking through the logs and noticed that the log source is not properly 
parsed for Windows 2008 logs.

I see stuff like this:

source=An account was successfully logged on. Subject
source=An account was logged off. Subject
source=Special privileges assigned to new logon. Subject

I am using evtsys (http://code.google.com/p/eventlog-to-syslog/) to send the 
logs from Windows 2008 to my syslog server.  

Is this a problem with the evtsys logs being sent or a problem in the parser?

What steps will reproduce the problem?
1. Snare logs send to syslog
2.
3.


What do you see instead?

in node.log:
* ERROR [2012/04/30 14:04:14] /srv/syslogdata/elsa/node/elsa.pl (219) 
main::_process_batch 2920 Unable to parse valid class id from log line 
1335783854 10.30.4.19     AD-2.tacs.local    Security      unknown  Apr 30 
14:04:13 2012|4634|Microsoft-Windows-Security-Auditing|opennms|N/A|Success 
Audit|AD-2.tacs.local|None||An account was logged off.    Subject:   Security 
ID:  S-1-5-21-212409339-82824776-3791047695-1127   Account Name:  opennms   
Account Domain:  TACS   Logon ID:  0x91366d0    Logon Type:   3    This event 
is generated when a logon session is destroyed. It may be positively correlated 
with a logon event using the Logon ID value. Logon IDs are only unique between 
reboots on the same computer.|240487                                            
                                                .  Only parsed into:
$VAR1 = [
          '1335783854',
          '10.30.4.19',
          'AD-2.tacs.local',
          'Security',
          'unknown',
          'Apr 30 14:04:13 2012|4634|Microsoft-Windows-Security-Auditing|opennms|N/A|Success Audit|AD-2.pacs.local|None||An account was logged off.    Subject:   Security ID:  S-1-5-21-212409339-82824776-3791047695-1127   Account Name:  opennms   Account Domain:  TACS   Logon ID:  0x91366d0    Logon Type:   3    This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.|240487 '
        ];


SVN checkout of ELSA.
syslog-ng 3.3.5

On what operating system?
Debian Squeeze

All snare logs are getting this error in node.log

What steps will reproduce the problem?
Not sure how to reproduce beyond my setup, but I have an archlinux server 
running the elsa node instance, and an Ubuntu 12.04 server running the 
webserver instance.
I have bro running on the node server, and bro flatfiles go into syslog go into 
elsa

What is the expected output? What do you see instead?
When I run queries, I expect to get a response. Instead (no matter what start 
or end dates I put) I get the error:
Invalid start or end: Wed Dec 31 19:00:00 1969 Wed Dec 31 19:00:00 1969 at 
/usr/local/elsa/web/lib/Query.pm line 656.

What version of the product are you using? On what operating system?
Latest from SVN on Ubuntu 12.04 and archlinux

Please provide any additional information below.
Both systems' clocks are synchronized with ntp.

Either:

1. Have the ability to hide menu items for devices not used in one's 
environment.

Or:

2. Build the menu from logs that have been received and recognized by ELSA, 
with the option to override this if something has been spuriously received 
and/or retired.

Thanks.

What steps will reproduce the problem?
1. Install ELSA with the install.sh script on a distribution like Debian Squeeze
2.
3.

What is the expected output? What do you see instead?
Install abort because update-rc.d refuses to install init scripts that are not 
LSB compliant.
This is an example of an LSB searchd script:
http://www.notsofaqs.com/catsdoc/doku.php?id=sphinx:install

What version of the product are you using? On what operating system?
Debian squeeze

Please provide any additional information below.

Add server-side config to load custom JS.

What steps will reproduce the problem?

1. Configure local iptables to log to local syslog on host to collect logs from
2. Forward those logs via syslog to Elsa log server
3. Validate that this much is working (tcpdump, etc.)

What is the expected output? What do you see instead?

Expectation is to have those syslog streams processed by syslog-ng/elsa.pl, 
inserted into MySQL, indexed by Sphinx, and searchable in Elsa web interface. 
In this example, I'm using iptables as search criteria since it seems to be 
most problematic.

Instead, only sporadic entries from random hosts make it into the MySQL 
database through Syslog/elsa.pl.

What version of the product are you using? On what operating system?

Obtained from install.sh (this is the info you need?)

Eventlog Version 0.2.12
Syslog version 3.2.4

OS is RHEL Server 6.2

Please provide any additional information below.

I have two elsa web servers and two elsa log servers. Rsyslog is used around 
the network to forward all activity from those servers to the loggers. Those 
loggers are indeed seeing specifically the iptables log hits from the network, 
but only 3 of many hosts have their logs recorded in the database, etc. 

I need help debugging the middleware so to speak. Lots of references to files 
in other issues, such as update-from-svn.sh, the syslog-ng.log file, and the 
commands you guys use to debug this are either not present or not apparent. 

Many thanks in advance!

What steps will reproduce the problem?
1. Go to "Documentation" in the wiki
2. Ctrl+F Snort
3. Notice there is not any information on getting Snort data into ELSA.

What is the expected output? What do you see instead?
I expect some documentation on how to get Snort data into ELSA.
Instead I just see info that there is a snort plugin.

What version of the product are you using? On what operating system?
Latest SVN on Arch Linux.

Please provide any additional information below.

I now have logs loading and can see them in the syslog and syslog_data tables.  
But nothing I have tried shows any results in the Web UI so far.

I see there is data being parsed into some fields properly but just nothing 
coming back to the Web UI.

I have tried to query for stuff that I know is in the syslogs_index_1 table and 
I get nothing back.

What information is needed to help troubleshoot this?

I believe this:

INSERT INTO classes (class_id, class) VALUES (10000, "NEWCLASS");

Should be this:

INSERT INTO classes (id, class) VALUES (10000, "NEWCLASS");

I've noticed that you slightly modified the syslog-ng init script. I also 
noticed that there is no reload option, which I think most distros implement by 
HUPing the daemon. I'm having a problem where the firewall log stays at zero 
bytes after being compressed by logrotate, even after trying the delaycompress 
option. Since the firewall log starts growing again after a restart of 
syslog-ng, I imagine putting in a function (already written on the interwebs) 
to HUP syslog-ng via a reload argument might fix it. Then people could put that 
in the postrotate section of their logrotate configuration.

What steps will reproduce the problem?

Query something like a firewall log :

host:172.16.0.1 FIREWALL_CONNECTION_END.dstip=172.16.0.2 +"Connection timeout" 
limit:1000

Select Report On, All Classes, Hour

A bar graph will be generated with values; however, when you hover over the 
graph and click on it, the number of results returned does not match the value 
in the bar graph. This isn't a limitation of the number of results returned, as 
in my case there were few.

Sometimes clicking on a bar results in 0 results returned once or twice, but 
then the third time the data is returned. When this happens, the 0 result comes 
back almost immediately, as if it's really not trying to search.

Below is an example of the bar graph value vs. the results value (when it did 
return results). I don't see a pattern, but maybe you so:

Beginning at 2012-06-14 18:00:00, descending:

Bar graph:result of clicking on that bar

46:47
2:13
16:9
3:10
47:20
42:45
60:56
47:49
35:47
19:24
27:20
23:28
21:23
21:18
31:29
17:22
24:22
17:28

What is the expected output? What do you see instead?

I expect the values to match. I wonder which one is accurate.

What version of the product are you using? On what operating system?

Latest build as of 6/14; RHEL (actually Oracle Unbreakable (cough) Linux)

Please provide any additional information below.

*What steps will reproduce the problem?*
1. Install ELSA
2. Set local YUI :
    "yui" : {
                "local" : "inc/combo.js",
                "version" : "2.8.1",
                "modifier" : ""
        },


*What is the expected output? What do you see instead?*
Working web interface.

404 error with theses files :
http://host/inc/combo.jsyui-2.8.1.css
http://host/inc/combo.jsyui-2.8.1.js

*What version of the product are you using? On what operating system?*
trunk svn

*Please provide any additional information below.*
Web interface used in isoleted network (no internet access).

What steps will reproduce the problem?
1. default install with install.sh on ubuntu server 10.04LTS
2. point firewall syslog data toward elsa
3. search for host=firewallipaddress

What is the expected output? What do you see instead?
Show near 30million results.  Shows 30million results but takes 15 seconds to 
return data.  Running top on the physical host, an 8 proc machine with 16GB of 
memory shows only one processor pegging at 100% running process searchd.

What version of the product are you using? On what operating system?
latest deploy from SVN - deployed April 27th 2012. Ubuntu 10.04 LTS

Please provide any additional information below.
I thought searchd was multithreaded?

A recent update requires new perl modules that are not pulled in by install.sh:

MooseX::Storage
MooseX::Log::Log4perl
MooseX::Clone
Plack::Middleware::NoMultipleSlashes

*What steps will reproduce the problem?*
1. wget 
"http://enterprise-log-search-and-archive.googlecode.com/svn/trunk/elsa/contrib/
install.sh"
2. $http_proxy is set but not $https_proxy
3. sh -c "sh install.sh"

*What do you see instead?*

# sh -c "sh install.sh node"
Assuming distro to be centos
Executing centos_get_node_packages
Loaded plugins: fastestmirror, refresh-packagekit
Loading mirror speeds from cached hostfile
 * base: centos.cict.fr
 * epel: be.mirror.eurid.eu
 * extras: centos.bio.lmu.de
 * rpmforge: apt.sw.be
 * updates: centos.bio.lmu.de
Setting up Update Process
No Packages marked for Update
Loaded plugins: fastestmirror, refresh-packagekit
Ignored option -q, -v, -d or -e (probably due to merging: -yq != -y -q)
Loading mirror speeds from cached hostfile
 * base: centos.cict.fr
 * epel: be.mirror.eurid.eu
 * extras: centos.bio.lmu.de
 * rpmforge: apt.sw.be
 * updates: centos.bio.lmu.de
Setting up Install Process
Package flex-2.5.35-8.el6.x86_64 already installed and latest version
Package bison-2.4.1-5.el6.x86_64 already installed and latest version
Package ntpdate-4.2.4p8-2.el6.centos.x86_64 already installed and latest version
Package 4:perl-5.10.1-119.el6_1.1.x86_64 already installed and latest version
Package 4:perl-devel-5.10.1-119.el6_1.1.x86_64 already installed and latest 
version
Package curl-7.19.7-26.el6_2.4.x86_64 already installed and latest version
Package 1:make-3.81-19.el6.x86_64 already installed and latest version
Package subversion-1.6.11-2.el6_1.4.x86_64 already installed and latest version
Package gcc-4.4.6-3.el6.x86_64 already installed and latest version
Package gcc-c++-4.4.6-3.el6.x86_64 already installed and latest version
Package mysql-server-5.1.61-1.el6_2.1.x86_64 already installed and latest 
version
Package mysql-libs-5.1.61-1.el6_2.1.x86_64 already installed and latest version
Package mysql-devel-5.1.61-1.el6_2.1.x86_64 already installed and latest version
No package pkg-config available.
Package 1:pkgconfig-0.23-9.1.el6.x86_64 already installed and latest version
Package pcre-devel-7.8-3.1.el6.x86_64 already installed and latest version
Package libcap-devel-2.16-5.5.el6.x86_64 already installed and latest version
Package libnet-devel-1.1.5-1.el6.x86_64 already installed and latest version
Package openssl-devel-1.0.0-20.el6_2.4.x86_64 already installed and latest 
version
No package libopenssl-devel available.
Package glib2-devel-2.22.5-6.el6.x86_64 already installed and latest version
Nothing to do
centos_get_node_packages success
Executing set_date
Error : Name or service not known
25 May 17:29:45 ntpdate[26389]: can't find host time.nist.gov

25 May 17:29:45 ntpdate[26389]: no servers can be used, exiting
set_date success
Executing check_svn_proxy
http_proxy set, verifying subversion is setup accordingly...
http-proxy-host = 10.0.0.1
check_svn_proxy success
Executing build_node_perl
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   301    0   301    0     0    449      0 --:--:-- --:--:-- --:--:--   455
curl: (6) Couldn't resolve host 'raw.github.com'
install.sh: line 229: cpanm : commande introuvable
install.sh: line 234: cpanm : commande introuvable
install.sh: line 240: cpanm : commande introuvable
Retry 1
install.sh: line 240: cpanm : commande introuvable
Retry 2
install.sh: line 240: cpanm : commande introuvable
Retry 3
build_node_perl FAIL


*What version of the product are you using? On what operating system?*

$ lsb_release -a
LSB Version:    
:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-
4.0-amd64:printing-4.0-noarch
Distributor ID: CentOS
Description:    CentOS release 6.2 (Final)
Release:        6.2
Codename:       Final


*Please provide any additional information below.*
# echo $PATH
/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/b
in:/root/bin

# perl -v

This is perl, v5.10.1 (*) built for x86_64-linux-thread-multi

# cpan -v
/usr/bin/cpan script version 1.9, CPAN.pm version 1.9402

# env|grep proxy
http_proxy=http://myuser:[email protected]:8080/

* Patch *
 - Add check_https_proxy
 - use check_https_proxy for install and update

Patch  : http://codereview.appspot.com/6245054/patch/1/2

Opening the ELSA page gives a pop-up window stating that the log server cannot 
be contacted.  The log server is on the web server.

Running  Ubuntu 12.04 LTS.  Is that the problem?

ps aux | grep syslog shows that syslog-ng is running.

And the displayed web page does not show a page like your screenshots do on the 
ELSA wiki.

Please consider adding a feature to store a fixed amount of logs (by date), in 
order to meet requirements such as PCI. Thanks.

Is there a way to keep the original IP address from the forwarded syslog 
messages?

I have configured the syslog-ng.conf file in /nodes/conf directory to include 
an options {} parameter with the option of keep_hostname(yes) and 
chain_hostname(no). 

This doesn't seem to change anything in the ELSA database - Is there a better 
way to do this or have I missed something?

Thanks.

What steps will reproduce the problem?
1. load web UI
2. enter a query for "traffic"
3. enter a time period

What is the expected output? What do you see instead?
 successful query, instead getting a box saying "query failed"

What version of the product are you using? On what operating system?

Installed March 19 from install.sh script on RHEL 5 i386

Please provide any additional information below.

I think this issue may be related to issue 7. I have verified the backend 
similarly to issue 7 and when I submit a query on teh web UI get a query failed 
problem. Here is the output from web.log

install.sh trunk downloaded morning of 2012-01-30, on RHEL6.2 x86_64.

What steps will reproduce the problem?
1. Start with patched RHEL6.2 x86_64
2. install.sh node
3. install.sh web

Sphinx compile says:

WARNING: source 'bte_content': xmlpipe2 support NOT compiled in. To use 
xmlpipe2, install missing XML libraries, reconfigure, and rebuild Sphinx

cron.pl says:

Couldn't require Transform::DNSDB : Can't locate URL/Encode.pm, etc.

/var/log/httpd/error_log says:

Couldn't require Transform::DNSDB : Can't locate AnyEvent/HTTP.pm

Fixes:

yum -y install expat-devel (don't know if you actually rely on sphinx expat 
support; if you don't, then you should probably add a --disable-feature to 
squelch the warning)

install perl modules AnyEvent::HTTP Net::CIDR::Lite URL::Encode 
Plack::Builder::Conditionals (the script only installed base Plack::Builder)

I am not the most knowledgeable person when it comes to linux/apache. I need to 
run ELSA on the same apache2 as cacti. Is there a way to change the port ELSA 
uses?


Thanks!

I have a number of Fortinet FortiGate firewalls and would like to use this 
system with their syslog output.

I tried to look at the patterndb.xml and was confused as to what needed to be 
there to make this work.

Here is a couplf of the log entries that need to be parsed:

Feb 10 11:27:01 logsource kernel: date=2012-02-10 time=11:27:01 
devname=CUSTID01-SITEID-FW device_id=FG100C999999999 log_id=13312 
subtype=ftgd_allow type=webfilter pri=notice vd=VDOM policyid=44 identidx=1 
serial=369298248 user=USER group=AD/GROUP src=10.1.2.3 sport=2163 src_port=2163 
src_int=INT dst=4.3.2.1 dport=80 dst_port=80 dst_int=WAN service=http 
hostname=col.stb.s-msn.com profiletype=Webfilter_Profile profile=PROFILE 
status=passthrough req_type=referral 
url=/i/79/65F987C952BDA0E84AE52464ADD59.jpg method=domain class=0 cat=41 
cat_desc="Search Engines and Portals" carrier_ep=N/A msg="URL belongs to an 
allowed category in policy" class_desc=N/A profilegroup=N/A

Feb 10 11:27:01 logsource kernel: date=2012-02-10 time=11:27:01 
devname=CUSTID01-SITEID-FW device_id=FGT80C9999999999 log_id=2 subtype=allowed 
type=traffic pri=notice vd=VDOM dir_disp=org tran_disp=snat src=10.1.2.3 
srcname=10.1.2.3 src_port=53624 dst=4.3.2.2 dstname=4.3.2.2 dst_port=80 
tran_ip=5.4.3.2 tran_port=49648 service=80/tcp proto=6 app_type=N/A 
duration=120 rule=49 policyid=49 identidx=0 sent=1221 rcvd=2062 
shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 sent_pkt=7 rcvd_pkt=6 
src_int=INT dst_int=WAN SN=16349534 app=N/A app_cat=N/A carrier_ep=N/A vpn=N/A 
status=accept user=N/A group=N/A shaper_sent_name=N/A shaper_rcvd_name=N/A 
perip_name=N/A

If I could get one or more pattern examples, I could work on others.  The 
fields and properties are not yet fully documented so am not sure of a starting 
point.

What steps will reproduce the problem?
1. Search for class=none
2. Date Range 2 days ago within one hour (ie 2012-04-25 15:50:20 2012-04-25 
16:50:20


What is the expected output? 
Thousands of Rows


What do you see instead?
0 rows

What version of the product are you using?

SVN checkout of ELSA.
syslog-ng 3.3.5


On what operating system?
Debian Squeeze

Please provide any additional information below.
apache2/error log
Use of uninitialized value in addition (+) at 
/srv/syslogdata/elsa/web/lib/API.pm line 2692.


web.log

* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/Web.pm (102) 
Web::_extract_method 32699 [undef]
uri: 
/Query/query?q=%7B%22query_string%22%3A%22%20class%3Dnone%22%2C%22query_meta_par
ams%22%3A%7B%22end%22%3A1335361820.838%2C%22start%22%3A1335358220.837%7D%7D
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/Web/Query.pm (19) 
Web::Query::call 32699 [undef]
method: query
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (2198) 
API::query 32699 [undef]
Decoded as : $VAR1 = {
          'query_meta_params' => {
                                   'start' => '1335358220.837',
                                   'end' => '1335361820.838'
                                 },
          'query_string' => ' class=none'
        };
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (2266) 
API::query 32699 [undef]
Received query with qid 1015 at 1335532165.89763
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (2831) 
API::_parse_query_string 32699 [undef]
orig_parsed_query: $VAR1 = {
          '' => [
                  {
                    'value' => 'none',
                    'op' => '=',
                    'field' => 'class'
                  } 
                ] 
        };
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (3203) 
API::_parse_query_term 32699 [undef]
terms: $VAR1 = {
          '' => [
                  {
                    'value' => 'none',
                    'field' => 'class',
                    'op' => '='
                  } 
                ]
        };
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (3271) 
API::_parse_query_term 32699 [undef]
Set operator  for given class none
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (2861) 
API::_parse_query_string 32699 [undef]
attr before conversion: $VAR1 = {
          'or' => {},
          'not' => {},
          'and' => {}
        };
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (2952) 
API::_parse_query_string 32699 [undef]
Permissions grant access to any host_id
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (2952) 
API::_parse_query_string 32699 [undef]
Permissions grant access to any program_id
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (2952) 
API::_parse_query_string 32699 [undef]
Permissions grant access to any node_id
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (3093) 
API::_parse_query_string 32699 [undef]
field_terms: $VAR1 = {
          'or' => {},
          'not' => {},
          'and' => {}
        };
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (3094) 
API::_parse_query_string 32699 [undef]
any_field_terms: $VAR1 = {
          'or' => {},
          'not' => {},
          'and' => {}
        };
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (3145) 
API::_parse_query_string 32699 [undef]
query_term_count: 1, num_added_terms: 0
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (3158) 
API::_parse_query_string 32699 [undef]
META_PARAMS: $VAR1 = {
          'start' => '1335358220.837',
          'end' => '1335361820.838'
        };
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (2486) 
API::_sphinx_query 32699 [undef]
sphinx_query: SELECT *, 1 AS positive_qualifier, 0 AS negative_qualifier FROM 
perm_120, perm_121 WHERE MATCH('') AND positive_qualifier=1 AND 
negative_qualifier=0 AND class_id IN (?) AND timestamp BETWEEN ? AND ? LIMIT 
?,? OPTION ranker=none, values: $VAR1 = [
          '1',
          1335358220,
          1335361820
        ];
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (2495) 
API::__ANON__ 32699 [undef]
Sphinx query for node 127.0.0.1 finished in 0.0046238899230957
* DEBUG [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (2723) 
API::_sphinx_query 32699 [undef]
completed query in 0.00582790374755859 with 0 rows
* INFO [2012/04/27 16:09:25] /srv/syslogdata/elsa/web/lib/API.pm (2321) 
API::query 32699 [undef]
Query 1015 returned 0 rows

There are 2000 records/logs in ELSA WEB. but i am able to view only 100 
logs/records. how to view more than 100 records in ELSA web. if i choose to 
download report i am getting those 100 records only.

do i need to change any configs to view all the logs?

Kindly suggest !!

What steps will reproduce the problem?
1. Get results for Class =  ANY

What is the expected output? What do you see instead?
Return all classes logs

What version of the product are you using? On what operating system?
SVN checkout of ELSA.
syslog-ng 3.3.5

Please provide any additional information below.

Received query with qid 2180 at 1337084276.6769
* DEBUG [2012/05/15 15:17:56] /srv/syslogdata/elsa/web/lib/API.pm (2831) 
API::_parse_query_string 1963 [undef]
orig_parsed_query: $VAR1 = {
          '' => [
                  {
                    'value' => 'ANY',
                    'op' => '=',
                    'field' => 'class'
                  }
                ]
        };
* DEBUG [2012/05/15 15:17:56] /srv/syslogdata/elsa/web/lib/API.pm (3203) 
API::_parse_query_term 1963 [undef]
terms: $VAR1 = {
          '' => [
                  {
                    'value' => 'ANY',
                    'field' => 'class',
                    'op' => '='
                  }
                ]
        };
* ERROR [2012/05/15 15:17:56] /srv/syslogdata/elsa/web/lib/Web/Query.pm (37) 
Web::Query::call 1963 [undef]
Unknown class ANY at /srv/syslogdata/elsa/web/lib/API.pm line 3261.

Is class=ANY query able to execute?

kind regards,
thanasys

I have read Cisco's syslogs are supported by ELSA, is there anything I need to 
turn configure for that functionality?


-Thanks!

What steps will reproduce the problem?
1. submit Query
3.

What is the expected output? What do you see instead?

Instead of the search results we receive a error-message "No nodes available at 
/usr/local/elsa/web/lib/API.pm line 1770" 

What version of the product are you using? On what operating system?

Elsa: Release 326
OS: Ubuntu 10.04.4 LTS

Please provide any additional information below.

To avoid tab clutter, it would be nice to have a quick way to toggle whether to 
search in the same tab or to open a new tab. Thanks.

What steps will reproduce the problem?
1.  Install Ubuntu 12.04 with default setup + SSHD
2.  Install ELSA using install.sh script
3.  Error in installation

error:

----QUOTE----
--> Working on Geo::IP
Fetching http://www.cpan.org/authors/id/B/BO/BORISZ/Geo-IP-1.40.tar.gz ... OK
Configuring Geo-IP-1.40 ... N/A
! Configure failed for Geo-IP-1.40. See /home/testuser/.cpanm/build.log for 
details.
Retry 3
build_web_perl FAIL
----ENDQUOTE----

in build.log
----QUOTE----
Configuring Geo-IP-1.40
Running Makefile.PL

The GeoIP CAPI is not installed you should do that. Otherwise try

    perl Makefile.PL PP=1

to install this module anyway. It uses a slower pure perl version
and you can rebuid it later.

GeoIP must be installed prior to building Geo::IP and I can't find
it in the standard library directories. You can download GeoIP C API from:

http://www.maxmind.com/app/c

If GeoIP is installed, but in a non-standard directory, then use the
following options to Makefile.PL:

    perl Makefile.PL LIBS='-L/home/me/lib' INC='-I/home/me/include'

Note that if you build against a shareable library in a non-standard location
you may (on some platforms) also have to set your LD_LIBRARY_PATH environment
variable at run time for perl to find the library.

If you installed the GeoIP C libraries to the /usr/local/lib directory,
then you may need to add /usr/local/lib to /etc/ld.so.conf then run
/sbin/ldconfig /etc/ld.so.conf

----ENDQUOTE----


After installing package "libgeoip-dev", the web module installed correctly.


PATCH:

In install.sh, function ubuntu_get_web_packages, add package to the list.


I guess other Linux distro may have the same issue.  Unable to test

On FreeBSD /bin/sh is NOT bash, therefore it needs to be 'variable=value' and 
not 'variable = value', patch attached.

I am trying to create an alert from a query result and have just recently 
updated from CVS.

I am getting the following error in a popup every time I try to create an alert:

Invalid args, missing arg: connector

Additionally, when I try to look at the schedule Alerts from the ELSA drop-down 
menu, I get an error in the table saying "Data error"

It would be great if we could get some Archlinux support, as all my personal 
and development servers are running on Arch.
I plan to take a look at the installer script and modify it for use with 
Archlinux by the end of the week. I'll post what I've got and hopefully get it 
pulled into the project. :)

What steps will reproduce the problem?
1. Query "Application Name: - Network Information"


What is the expected output? What do you see instead?
I expect a search containing everything within the quotation marks.  However, 
the query box loses the '-' and the query returns nothing.

What version of the product are you using? On what operating system?
OS: Red Hat Enterprise 6

Please provide any additional information below.
Replacing the - with a + or other symbols I've tried won't produce this result. 
 I'm using this query to find entries that contain no Application Name, which 
are listed in a general query of eventID 5152 from SNARE data.