SQLite
The EveBox Server can use SQLite eliminating the need for managing an external database system like Elasticsearch.
SQLite is only suitable for smaller deployments such as demos, training and home installations with only a few Suricata sensors and an event retention time of up to a week. While it can handle higher loads, Elasticsearch will generally be much fast in such cases, but also requires a lot more system resources.
Using SQLite
As Elasticsearch is the default, the EveBox Server needs be to configured to use SQLite on the command or with the configuration file.
For example:
evebox server -D /path/to/data --sqlite
Or with the configuration file:
data-directory: /var/lib/evebox
database:
type: sqlite
# Automatically delete events older than 7 days.
retention:
days: 7
Adding Events
The only way to add events to EveBox SQLite is directly with the server, or using the EveBox Agent.
Event Retention
By default, EveBox when used with SQLite will continuously delete events older than 7 days, but the size of the database file can also be used. This must be configured in the configuration file.
# Database configuration.
database:
type: sqlite
retention:
# Only keep events for the past 7 days.
# - SQLite only
# - Default 7 days
# - Set to 0 to disable
days: 7
# Maximum database size.
# - SQLite only
# - No default
#size: "20 GB"
- If not otherwise configured,
retention.daysdefaults to 7. To disable date based retention this value must be set to 0. Removing it or commenting it will result in a default of 7 days. - Size based retention can be specified in values of
MBorGB. By default, size based retention is disabled. - It is OK to specified
daysandsize.
As with most SQL databases, it is hard to recover when there is no space left. A future release may force a retention policy based on the amount of free disk space, but as of 0.17.0, no such protection mechanism is in place.