Server Configuration File
# EveBox Server configuration file.
# Path to the data directory. This directory holds data for EveBox
# such as the configuration/user/authentication database, and SQLite
# database files if the sqlite database is being used. It needs to be
# writable by the user EveBox is running as. If not set it will
# default to the current directory.
#data-directory: /var/lib/evebox
http:
tls:
# Enable or disable TLS.
# env: EVEBOX_HTTP_TLS_ENABLED
enabled: false
# Path to certificate PEM file.
# env: EVEBOX_HTTP_TLS_CERTIFICATE
#certificate: /path/to/cert.pem
# Path to key PEM file.
# env: EVEBOX_HTTP_TLS_KEY
#key: /path/to/key.pem
# If behind a reverse proxy set to true so the proper IP address of
# clients can be logged.
# Default: false
# env: EVEBOX_HTTP_REVERSE_PROXY
#reverse-proxy: true
# Enable HTTP request logging. This can be very verbose.
# Default: false
# env: EVEBOX_HTTP_REQUEST_LOGGING
#request-logging: true
authentication:
# Default: false
# env: EVEBOX_AUTHENTICATION_REQUIRED
required: false
# Database configuration.
database:
# Database type: elasticsearch, sqlite.
type: elasticsearch
elasticsearch:
# Env: EVEBOX_ELASTICSEARCH_URL
url: http://10.16.1.10:9200
index: logstash
disable-certificate-check: false
# If using the Filebeat Suricata module this needs to be true.
#ecs: false
#username: username
#password: password
retention:
# Only keep events for the past 7 days.
# - SQLite only
# - Default 7 days
# - Set to 0 to disable
days: 7
# Maximum database size.
# - SQLite only
# - No default
#size: "20 GB"
# The server can process a log file, eliminating the need for a
# separate agent process if on the same machine.
input:
# Toggle to disable the input without commenting it out.
enabled: false
# Suricata EVE file patterns to look for and read.
paths:
- "/var/log/suricata/eve.json"
- "/var/log/suricata/eve.*.json"
# Bookmark directory, as with the agent if the server can't write to
# the directory where the above log file is, you need to provide
# this.
#bookmark-directory: /var/lib/evebox
# Custom fields to add to the event. Only top level fields can be set,
# and only simple values (string, integer) can be set.
additional-fields:
# Set a host field. This will override the "host" field set by
# Suricata if the Suricata "sensor-name" option is set.
#host: "evebox-server"
# The event reader can also add the rule to alert events. Do not enable
# if you already have Suricata logging the rule.
#rules:
# - /var/lib/suricata/rules/*.rules
# - /usr/share/suricata/rules/*.rules
# - /etc/suricata/rules/*.rules
geoip:
disabled: false
# Path to the MaxMind database. This must be the version 2 database
# (http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz)
# File must be ungzipped.
#
# This is temporary, EveBox will eventually support downloading and
# updateing the geo database itself.
database: /etc/evebox/GeoLite2-City.mmdb
# Event services: links that will be provided on events to link to additonal
# services.
event-services:
# Custom service to link the rule in Scirius.
- type: custom
enabled: false
name: Scirius
# Only make available for alert types.
event-types:
- alert
# URL template. All eve values can be used.
url: https://10.16.1.179/rules/rule/{{alert.signature_id}}
# Custom service to link to Dumpy for full packet capture.
#
# This one has no event-types meaning its available for all event types.
- type: custom
enabled: false
name: Dumpy
# The URL template, {{raw}} expands to the raw eve event as a JSON
# string which is then url encoded. This format will give you a direct
# download.
url: "http://127.0.0.1:7000/fetch?query-type=event&event={{raw}}&spool=default"
# Or this URL will pre-populate a download form for you.
#url: "http://127.0.0.1:7000/?event={{raw}}"
# Open in new window. The default is the same window.
target: new