Agent Configuration File
While the Agent can be run using command line parameters, it can also be fully configured with a configuration file.
While there is no default location for the configuration,
/etc/evebox/agent.yaml is recommended.
The EveBox Agent must also be told where to find the configuration file, for example:
evebox agent -c /etc/evebox/agent.yaml
Command line arguments will always override the configuration file.
# EveBox Agent configuration file - subject to change.
# Server information.
server:
url: http://127.0.0.1:5636
# Username and password. Note that at this time even with
# authentication enabled on the EveBox server, agents can still
# submit events without authenticating. You will need to supply and
# username and password if running behind a reverse proxy
# implementing authentication.
#username: username
#password: password
# Enable output to Elasticsearch. If enabled, the above server section
# will not be used.
elasticsearch:
enabled: true
url: http://127.0.0.1:9200
index: logstash
# Set to true if the index is a datastream.
#nodate: false
#username: username
#password: password
# Directory to store data and state information required by the agent. This
# isn't always required. If the agent has write access to the log directory it
# can store bookmark information along side the eve log files.
#data-directory: "/var/lib/evebox"
# If the EveBox server is running behind TLS and the certificate is
# self signed, certificate validation can be disabled.
#disable-certificate-check: true
# Path to Suricata Eve log files.
input:
paths:
- "/var/log/suricata/eve.json"
- "/var/log/suricata/eve.*.json"
# Additional fields that will be added to each event. This is currently limited
# to strings at this time.
additional-fields:
#sensor-name: "my super secret sensor"
# The event reader can also add the rule to alert events. Do not enable
# if you already have Suricata logging the rule.
#rules:
# - /var/lib/suricata/rules/*.rules
# - /usr/share/suricata/rules/*.rules
# - /etc/suricata/rules/*.rules