Intro
Quick Try
If you'd like to quickly try EveBox without installing, first download and unzip one of the standalone binaries:
Then run EveBox directly against an eve.json
file from Suricata:
./evebox oneshot /path/to/eve.json
If a browser doesn't load, open
http://localhost:5636 in your browser. This
is called oneshot mode where a single eve.json
file is loaded for
inspection into an in-memory database which is destroyed when you
close EveBox.
EveBox Deployment Options
EveBox can be used in multiple ways:
Existing Elasticsearch Stack
As part of an Elasticsearch stack. If you already have ELK setup with Logstash or Filebeat processing Suricata events, the EveBox Server can be pointed at your existing Elasticsearch server.
Standalone
The EveBox Server can use an embedded SQLite database and process Suricata events on its own for a small and simple deployment where EveBox and Suricata are running on the same host (Elasticsearch could also be used as the datastore in this scenario).
Server and Agent
The EveBox Server can be configured to use Elasticsearch or SQLite as the datastore and one or more EveBox Agents can forward Suricata events to the EveBox Server.
SQLite is good for demo purposes or single sensor monitoring with a retention period up to 7 days, but is not ideal for longer data retention or larger event load.