Skip to main content

API

No Stability Guarantees

The EveBox API is currently under active development and may change without notice. Endpoints, request parameters, and response formats are not subject to semantic versioning or backward compatibility guarantees.

/api/pcap

Downloads packets from the configured server-local capture spool.

Methods: GET, POST

GET accepts query parameters and streams the capture. POST accepts the same fields as JSON, buffers the result, and cannot exceed the fixed 8,000,000-byte server limit. All request fields are strings.

ParameterDescription
event_idEveBox datastore ID used to derive the event flow and time window.
filterOptional libpcap BPF expression.
startRFC 3339 start time for a free-form request.
durationWindow after start; defaults to 1m.
beforeWindow before an event timestamp. Requires event_id.
afterWindow after an event timestamp. Requires event_id.
max_sizeOutput cap such as 50mb; 0, none, or unlimited removes the cap for streaming GET requests.

Use event_id by itself for an event capture, event_id with before or after for an event-relative window, or start with optional duration and filter for a free-form capture.

curl --fail --get 'http://localhost:5636/api/pcap' \
--data-urlencode 'start=2026-07-13T12:00:00Z' \
--data-urlencode 'duration=5m' \
--data-urlencode 'filter=tcp port 443' \
--output capture.pcap

GET /api/pcap/validate accepts the same query parameters and validates the request without reading capture files. It returns ok and the suggested download filename, but does not check whether packets match.

POST returns a structured error when no packets match and sets X-EveBox-PCAP-Truncated: true when its buffered result reaches a size or scan limit. A streaming GET with no matching or available packets instead returns a valid, header-only capture. If a GET reaches a limit after its response headers have been sent, the partial capture cannot be marked with a late truncation header.

/api/sensors

Returns a list of all sensor names in your data.

Method: GET

Example:

curl "http://localhost:5636/api/sensors"

Response:

{
"data": ["sensor-1", "sensor-2", "sensor-3"]
}

/api/alerts

Returns aggregated alerts grouped by signature, source IP, and destination IP.

Method: GET

Parameters:

ParameterDescriptionExample
sensorFilter by sensor namesensor=my-sensor
time_rangeTime window to querytime_range=24h, time_range=7d
query_stringAdditional search filtersquery_string=src_ip:192.168.1.1
tagsFilter by tags (comma-separated)tags=evebox.escalated

Example:

# Get alerts from the last 24 hours
curl "http://localhost:5636/api/alerts?time_range=24h"

# Get alerts from a specific sensor
curl "http://localhost:5636/api/alerts?sensor=my-sensor&time_range=24h"

Response:

{
"events": [...],
"took": 42,
"timed_out": false,
"min_timestamp": "2025-12-28T00:00:00Z",
"max_timestamp": "2025-12-29T00:00:00Z"
}

/api/events

Returns individual events with optional filtering. With no size or order, the endpoint returns up to 500 events, newest first.

Method: GET

Parameters:

ParameterDescriptionDefaultExample
event_typeExact event type to return.all typesevent_type=alert
sensorExact sensor name to return.all sensorssensor=my-sensor
query_stringAdditional field:value filters. The sensor field is host.nonequery_string=src_ip:192.168.1.1
fromInclusive ISO 8601 start timestamp.unboundedfrom=2025-12-28T00:00:00Z
toInclusive ISO 8601 end timestamp.unboundedto=2025-12-29T00:00:00Z
sizePositive number of events to return.500size=100
orderTimestamp order: asc or desc.descorder=asc
sort_byElastic/OpenSearch field to sort by; ignored with SQLite.@timestampsort_by=@timestamp

Examples:

# Get up to 500 recent alerts from a specific sensor.
curl "http://localhost:5636/api/events?event_type=alert&sensor=my-sensor"

# The equivalent sensor filter using the query string.
curl "http://localhost:5636/api/events?event_type=alert&query_string=host:my-sensor"

# Get the last 50 alerts.
curl "http://localhost:5636/api/events?event_type=alert&size=50&order=desc"

If authentication is required, add -u username:password to the curl command or use an authenticated EveBox session.

/api/agg

Groups events over a field and returns the counts for each value. Similar to an SQL query like:

SELECT COUNT(event_type), event_type FROM events GROUP BY event_type ORDER BY count DESC;

Method: GET

Parameters:

ParameterDescriptionDefaultExample
fieldField name to group over(required)field=event_type
time_rangeTime range to search over24htime_range=7d
sizeNumber of results to return10size=20
orderSort order (desc or asc)descorder=asc
qOptional query string filterq=src_ip:192.168.1.1

Example:

# Get top 10 event types in the last 24 hours
curl "http://localhost:5636/api/agg?field=event_type"

# Get top 20 source IPs in the last 7 days
curl "http://localhost:5636/api/agg?field=src_ip&time_range=7d&size=20"

Response:

{
"rows": [
{"key": "alert", "count": 1234},
{"key": "dns", "count": 567},
{"key": "http", "count": 89}
]
}