Skip to main content
Version: 0.18.x

Server Configuration File

# EveBox Server configuration file.

# Path to the data directory. This directory holds data for EveBox
# such as the configuration/user/authentication database, and SQLite
# database files if the sqlite database is being used. It needs to be
# writable by the user EveBox is running as. If not set it will
# default to the current directory.
#data-directory: /var/lib/evebox

http:

tls:
# Enable or disable TLS.
# env: EVEBOX_HTTP_TLS_ENABLED
enabled: false

# Path to certificate PEM file.
# env: EVEBOX_HTTP_TLS_CERTIFICATE
#certificate: /path/to/cert.pem

# Path to key PEM file.
# env: EVEBOX_HTTP_TLS_KEY
#key: /path/to/key.pem

# If behind a reverse proxy set to true so the proper IP address of
# clients can be logged.
# Default: false
# env: EVEBOX_HTTP_REVERSE_PROXY
#reverse-proxy: true

# Enable HTTP request logging. This can be very verbose.
# Default: false
# env: EVEBOX_HTTP_REQUEST_LOGGING
#request-logging: true

authentication:
# Default: false
# env: EVEBOX_AUTHENTICATION_REQUIRED
required: false

# Database configuration.
database:

# Database type: elasticsearch, sqlite.
type: elasticsearch

elasticsearch:
# Env: EVEBOX_ELASTICSEARCH_URL
url: http://10.16.1.10:9200
index: logstash
disable-certificate-check: false

# If using the Filebeat Suricata module this needs to be true.
#ecs: false

#username: username
#password: password

retention:
# Only keep events for the past 7 days.
# - SQLite only
# - Default 7 days
# - Set to 0 to disable
days: 7

# Maximum database size.
# - SQLite only
# - No default
#size: "20 GB"

# The server can process a log file, eliminating the need for a
# separate agent process if on the same machine.
input:
# Toggle to disable the input without commenting it out.
enabled: false

# Suricata EVE file patterns to look for and read.
paths:
- "/var/log/suricata/eve.json"
- "/var/log/suricata/eve.*.json"

# Bookmark directory, as with the agent if the server can't write to
# the directory where the above log file is, you need to provide
# this.
#bookmark-directory: /var/lib/evebox

# Custom fields to add to the event. Only top level fields can be set,
# and only simple values (string, integer) can be set.
additional-fields:
# Set a host field. This will override the "host" field set by
# Suricata if the Suricata "sensor-name" option is set.
#host: "evebox-server"

# The event reader can also add the rule to alert events. Do not enable
# if you already have Suricata logging the rule.
#rules:
# - /var/lib/suricata/rules/*.rules
# - /usr/share/suricata/rules/*.rules
# - /etc/suricata/rules/*.rules

geoip:
disabled: false
# Path to the MaxMind database. This must be the version 2 database
# (http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz)
# File must be ungzipped.
#
# This is temporary, EveBox will eventually support downloading and
# updateing the geo database itself.
database: /etc/evebox/GeoLite2-City.mmdb

# Event services: links that will be provided on events to link to additonal
# services.
event-services:

# Custom service to link the rule in Scirius.
- type: custom
enabled: false
name: Scirius

# Only make available for alert types.
event-types:
- alert

# URL template. All eve values can be used.
url: https://10.16.1.179/rules/rule/{{alert.signature_id}}

# Custom service to link to Dumpy for full packet capture.
#
# This one has no event-types meaning its available for all event types.
- type: custom
enabled: false
name: Dumpy

# The URL template, {{raw}} expands to the raw eve event as a JSON
# string which is then url encoded. This format will give you a direct
# download.
url: "http://127.0.0.1:7000/fetch?query-type=event&event={{raw}}&spool=default"

# Or this URL will pre-populate a download form for you.
#url: "http://127.0.0.1:7000/?event={{raw}}"

# Open in new window. The default is the same window.
target: new