Skip to main content
Version: 0.21.x

Debian Packages Debian / Ubuntu

EveBox provides an Apt repository with Debian packages for Debian/Ubuntu style systems.

Stable Repository

sudo apt-get install curl
curl -fsSL https://evebox.org/files/GPG-KEY-evebox -o /etc/apt/keyrings/evebox.asc
echo "deb [signed-by=/etc/apt/keyrings/evebox.asc] https://evebox.org/files/debian stable main" | sudo tee /etc/apt/sources.list.d/evebox.list
sudo apt-get update
sudo apt-get install evebox

Development Builds

caution

These packages are built directly from the main git branch and break at times. They may also introduce databases changes that break in the case of using an SQL back-end.

sudo apt-get install curl
curl -fsSL https://evebox.org/files/GPG-KEY-evebox -o /etc/apt/keyrings/evebox.asc
echo "deb [signed-by=/etc/apt/keyrings/evebox.asc] https://evebox.org/files/debian unstable main" | sudo tee /etc/apt/sources.list.d/evebox.list
sudo apt-get update
sudo apt-get install evebox

Starting and Stopping

The EveBox Debian/Ubuntu package is configured to start and stop the EveBox Server with systemd.

Starting the EveBox Server

systemctl start evebox

Stoping the EveBox Server

systemctl stop evebox

Starting the EveBox Server on Boot

systemctl enable evebox

Configuring

With SystemD

If using SystemD, basically command line options can be set in the file /etc/default/evebox (note that it does not exist by default).

For example, if you want to use SQLite by default, instead of Elasticsearch/Opensearch:

EVEBOX_OPTS="--database sqlite"

Or if you wanted the EveBox Server to also consume Suricata log files without the use of an agent:

EVEBOX_OPTS="/var/log/suricata/eve.json"

Or if you wanted to use SQLite and consume Suricata logs:

EVEBOX_OPTS="--database sqlite /var/log/suricata/eve.json"

Permissions

This section is important if you also want to consume Suricata logs directly with the EveBox Server.

By default, when the EveBox Server is run by SystemD, it is running as the user evebox. If you installed Suricata using the PPA, it is likely that only users that belong to the suricata group have read access to /var/log/suricata. So the EveBox Server must be given permission to read this directory as well. The easiest way to achieve this is to add evebox user to the suricata group. This can be done on Linux with the following command:

sudo usermod -a -G suricata evebox

In short, EveBox needs read access to the Suricata logs if you wish EveBox to consume these logs, and this can be verified specific to your installation.

Other Notes

  • Configuration file: /etc/evebox/evebox.yaml
  • Data directory: /var/lib/evebox
  • When started from systemd, the EveBox server will run as the user evebox which has write access to /var/lib/evebox.