1
00:00:01,230 --> 00:00:04,920
In this lecture I will start explaining about Elsa.

2
00:00:05,460 --> 00:00:14,250
So Elsa or enterprise lock search and archive is a three tiered log receiver archival And Dixer and

3
00:00:14,250 --> 00:00:20,670
we print it for income and just look it can be accessed in security union from the chromium browser

4
00:00:20,940 --> 00:00:23,380
which it works best with.

5
00:00:23,430 --> 00:00:31,350
So here I will click on the icon of Elsa and we see this message that is saying that our connection

6
00:00:31,350 --> 00:00:33,530
is not private or not secure.

7
00:00:33,840 --> 00:00:43,440
And I have to click on advanced and then proceed to local host and it asks us for username and password

8
00:00:44,010 --> 00:00:52,080
which is the same username and password used with the signal since Elsa authenticates and against the

9
00:00:52,140 --> 00:00:54,700
signal database.

10
00:00:54,780 --> 00:01:04,980
So here we see the web interface of Elsa and the first thing we have to focus on is the from two fields

11
00:01:05,400 --> 00:01:14,490
which specify the time range that Elsa will search for the logs for and it is for the last two days

12
00:01:14,490 --> 00:01:15,880
by default.

13
00:01:15,990 --> 00:01:27,180
So I will change the from date to be this date for example so that it will search for logs resulted

14
00:01:27,180 --> 00:01:36,060
from running the TCB really a comment that we have used in the previous lectures and also I have to

15
00:01:36,180 --> 00:01:51,850
specify a class here and I will specify the class to be pro connection so that I will search for logs

16
00:01:51,850 --> 00:02:05,660
coming from Pro which is an intrusion detection system program and now I will click hit enter or click

17
00:02:05,660 --> 00:02:09,020
on submit query.

18
00:02:09,170 --> 00:02:25,930
So we see here that we have more than 1000 records and the first 100 records are shown by default and

19
00:02:25,930 --> 00:02:38,740
we see also that the results are displayed in seven days where we have 15 records their page and we

20
00:02:38,740 --> 00:02:52,490
can change that if we want and also we see highlighted in yellow that the records or logs are coming

21
00:02:52,550 --> 00:03:02,900
from the program and class pro connection and also we see information like the source IP Source Bought

22
00:03:04,310 --> 00:03:04,730
and

23
00:03:08,180 --> 00:03:16,120
destination IP and destination bought and also the connection duration.

24
00:03:16,320 --> 00:03:26,580
The number of bytes number of packets and also the country which is here in the U.S. so the country

25
00:03:27,330 --> 00:03:29,990
that the IP block belongs to.

26
00:03:30,030 --> 00:03:41,730
So we see the country here is us and here we see also that we have a record that the country is Russia

27
00:03:44,490 --> 00:03:51,510
so we can also get the same result by using another way.

28
00:03:51,510 --> 00:04:04,220
So here we close this stop and I will remove the class from the query field and I will go to the actor

29
00:04:06,270 --> 00:04:13,230
drop down menu and I will select select for connection and then class connection and we see that it

30
00:04:13,230 --> 00:04:23,540
populates the class in the query field and then I also I will hit submit query or hit Enter so we see

31
00:04:23,630 --> 00:04:27,790
that we have gotten the same results here.

32
00:04:29,910 --> 00:04:43,340
So that way I have explained how to start using Elsa and how to specify a class and a time range to

33
00:04:43,910 --> 00:04:53,120
get the logs that we are searching for and in the next lecture I will continue explaining about Elsa

34
00:04:53,510 --> 00:04:58,550
and specifically about how to use the group by close.