Skip to main content

RPMs Fedora, AlmaLinux, EL, etc

Stable Release Repository

rpm -Uvh https://evebox.org/files/rpm/stable/evebox-release.noarch.rpm
yum install evebox

Development Build Repository

caution

These packages are built directly from the main git branch and break at times. They may also introduce databases changes that break in the case of using an SQL backend.

rpm -Uvh https://evebox.org/files/rpm/development/evebox-development-release.noarch.rpm
yum install evebox

Starting and Stopping

The EveBox RPM is configured to start and stop the EveBox Server with systemd.

Starting the EveBox Server

systemctl start evebox

Stoping the EveBox Server

systemctl stop evebox

Starting the EveBox Server on Boot

systemctl enable evebox

Configuring

With SystemD

If using SystemD, basically command line options can be set in the file /etc/sysconfig/evebox (note that it does not exist by default).

For example, if you want to use SQLite by default, instead of Elasticsearch/Opensearch:

EVEBOX_OPTS="--database sqlite"

Or if you wanted the EveBox Server to also consume Suricata log files without the use of an agent:

EVEBOX_OPTS="/var/log/suricata/eve.json"

Or if you wanted to use SQLite and consume Suricata logs:

EVEBOX_OPTS="--database sqlite /var/log/suricata/eve.json"

Permissions

This section is important if you also want to consume Suricata logs directly with the EveBox Server.

By default, when the EveBox Server is run by SystemD, it is running as the user evebox. If you installed Suricata from a package, it is likely that only users that belong to the suricata group have read access to /var/log/suricata. So the EveBox Server must be given permission to read this directory as well. The easiest way to achieve this is to add evebox user to the suricata group. This can be done on Linux with the following command:

sudo usermod -a -G suricata evebox

In short, EveBox needs read access to the Suricata logs if you wish EveBox to consume these logs, and this can be verified specific to your installation.

Other Notes

  • Configuration file: /etc/evebox/evebox.yaml
  • Data directory: /var/lib/evebox
  • When started from systemd, the EveBox server will run as the user evebox which has write access to /var/lib/evebox.