Try EveBox
To quickly try EveBox, first download a binary package from the below links and unzip:
Then run EveBox directly against an eve.json
file from Suricata:
./evebox oneshot /path/to/eve.json
If a browser doesn't load, open
http://localhost:5636 in your browser. This
is called oneshot mode where a single eve.json
file is loaded for
inspection into n temporary database which is destroyed when you close
EveBox.
EveBox Deployment Options
EveBox was initially developed to connect directly to Elasticsearch being fed Suricata events with Logstash, however the deployment options have changed over time and can complicate things a little.
The current deployment options are:
- Elasticsearch with Suricata events being added with Logstash. Note that transforming events can break EveBox's expectations of what a Suricata event looks like
- Elasticsearch with Suricata events being added with Filebeat and the Filebeat plugin
- EveBox Server (and optional agent) with Elasticsearch as a backend
- EveBox server (and optional agent) with built-in SQLite backend
The first two Elasticsearch options are ideal if you are already ingesting Suricata events with Logstash or Filebeat.
The 3rd option, where EveBox is managing events is mostly compatible with the Logstash method and is ideal if you have a rather large event load and are capable of managing Elasticsearch yourself.
The SQLite option is ideal for small deployments such as home networks and is mostly self-managing, and also the simplest way to run EveBox.
SQLite is better for smaller loads, such as low bandwidth sensors or home networks, especially if you're willing to set limits on the database size or its age, such as 14 days and/or 40 gigabytes.
So Which Deployment Option Should I Use?
If you are still asking this question after reading the options above, I suggest you try the built-in SQLite database. There is no "stack" to support and it just works to start. This will at least get you familiar with EveBox with little effort, then you could decide to use Elasticsearch if you have higher loads.
EveBox attempts to keep feature parity with different backends, however Elasticsearch would allow you to also use Kibana for infinite custom report options.