Skip to main content
Version: 0.19.x

Server

The EveBox Server is the application that serves the web interfaces and connects to Elasticsearch or another database. It is the primary application you will be interface with.

Secure by Default

caution

As of EveBox 0.18.0, EveBox attempts to be secure by default by enabling TLS and authentication by default. This is a breaking change from previous versions of EveBox.

It is important to note that the EveBox Server will auto-generate a self-signed TLS certificate and create an admin user with a random password on first startup. Watch the stdout for the username and password. For example:

2023-09-03 18:32:20  WARN evebox::server::main: Created administrator username
and password: username=admin, password=eFWMpzQVoVED

Usage Examples

Standalone with SQLite

This example will run the EveBox Server using SQLite as a database and read EVE records from /var/log/suricata/eve.json. It is about the simplest scenario possible as it requires no external database, no transport of events, etc.

evebox server --sqlite /var/log/suricata/eve.json

If this is your first time starting EveBox, watch for this line:

2023-09-04 16:38:33  WARN evebox::server::main: Created administrator username and password: username=admin, password=7lCBEu74kQUQ

You will need it to login. Now point your web browser at https://127.0.0.1:5636.

tip

If you really don't want the bother of authentication and TLS while trying things out, they can be disabled with the command line options --no-auth and --no-tls. For example:

evebox server --no-auth --no-tls --sqlite /var/log/suricata/eve.json

Or to change the password to something of your choosing:

evebox config users passwd admin

Command Line Arguments

Usage: evebox server [OPTIONS] [EVE]...

Where [EVE]... is an optional list of Suricata EVE/JSON log files to be used as input.

  • -c, --config <FILE>

    Path to configuration file

  • -v, --verbose

    Increase verbosity. May be specified multiple times.

  • --no-auth

    Disable authentication.

  • --no-tls

    Disable TLS.

  • -D, --data-directory <DIR>

    Data directory for database and other state date. By default this is /var/lib/evebox if is is writable, otherwise it will default to $HOME/.config/evebox.

  • --host <ADDR>

    IP address to bind to. By default EveBox binds to localhost using 127.0.0.1. To have EveBox listen for external connections use something like --host ::0 or --host 0.0.0.0.

  • --port <PORT>

    Specify the port to listen on. The default port is 5636.

  • -e, --elasticsearch <URL>

    The URL of the Elasticsearch server to connect to. The default is http://localhost:9200.

note

By default the EveBox Server attempts to run with an Elasticsearch database. This may not always be the case.

  • --sqlite

    Use SQLite as the database instead of Elasticsearch.

  • --disable-geoip

    By default, EveBox will attempt to add GeoIP information to events. This command line option will disable GeoIP lookups.

Environment Variables

VariableDescription
EVEBOX_DATA_DIRECTORYSpecify a directory where EveBox will store state files such as the database.
EVEBOX_AUTHENTICATION_REQUIREDSet to false to disable authentication. EveBox will require authentication by default.
EVEBOX_HTTP_TLS_ENABLEDSet to false to disable TLS. TLS is enabled by default.
EVEBOX_HTTP_HOSTHostname to bind to such as 127.0.0.1 or 0.0.0.0.
EVEBOX_HTTP_PORTTCP port to bind to.
EVEBOX_ELASTICSEARCH_URLElasticsearch URL.
EVEBOX_ELASTICSEARCH_USERNAMEElasticsearch username.
EVEBOX_ELASTICSEARCH_PASSWORDElasticsearch password.