The EveBox Server can use SQLite eliminating the need for managing an external database system like Elasticsearch.
SQLite is only suitable for smaller deployments such as demos, training and home installations with only a few Suricata sensors and an event retention time of up to a week. While it can handle higher loads, Elasticsearch will generally be much fast in such cases, but also requires a lot more system resources.
As Elasticsearch is the default, the EveBox Server needs be to configured to use SQLite on the command or with the configuration file.
evebox server -D /path/to/data --sqlite
Or with the configuration file:
# Automatically delete events older than 7 days.
The only way to add events to EveBox SQLite is directly with the server, or using the EveBox Agent.
By default, EveBox when used with SQLite will continuously delete events older than 7 days, but the size of the database file can also be used. This must be configured in the configuration file.
# Database configuration.
# Only keep events for the past 7 days.
# - SQLite only
# - Default 7 days
# - Set to 0 to disable
# Maximum database size.
# - SQLite only
# - No default
#size: "20 GB"
- If not otherwise configured,
retention.daysdefaults to 7. To disable date based retention this value must be set to 0. Removing it or commenting it will result in a default of 7 days.
- Size based retention can be specified in values of
GB. By default, size based retention is disabled.
- It is OK to specified
As with most SQL databases, it is hard to recover when there is no space left. A future release may force a retention policy based on the amount of free disk space, but as of 0.17.0, no such protection mechanism is in place.