Elasticsearch
Using an Elasticsearch stack.
The EveBox Server can display Suricata events from an existing Elasticsearch stack provided that the events are being added with Logstash using minimal schema changes, or Filebeat using the Suricata module.
Example: Elasticsearch with Logstash
evebox server -e http://elasticsearch:9200
This assumes a more or less default Logstash processing Suricata
events and sending them directly to Elasticsearch using an index
scheme with a prefix of logstash
.
A configuration file for such a setup might look like:
database:
type: elasticsearch
elasticsearch:
url: http://elasticsearch:9200
Example: Elasticsearch with Filebeat and Suricata Module
evebox server -e http://elasticsearch:9200 --ecs --index filebeat
A configuration file for such a setup might look like:
database:
type: elasticsearch
elasticsearch:
url: http://elasticsearch:9200
index: filebeat
ecs: true
Without Logstash or Filebeat
EveBox is capable of using Elasticsearch without Logstash or Filebeat by using EveBox, or the EveBox Agent instead.
Log Processing with EveBox Server
The EveBox Server is capable of processing Suricata logs and adding the events to Elasticsearch. This is a Logstash style schema and can be used along side Logstash with Logstash processing events from other Suricata instances.
The EveBox Server can be used to process Suricata eve files and is compatible with Logstash processing Suricata eve files from other Suricata instances.
The EveBox Server (and Agent) cannot be used to process events into a Filebeat style index or datastream. Do not mix EveBox processed events with Filebeat processed events.
Example:
evebox server -e http://elasticsearch:9200 --input /var/log/suricata/eve.json
Or with a configuration file like:
database:
type: elasticsearch
elasticsearch:
url: http://elasticsearch:9200
input:
filename: "/var/log/suricata/eve.json"
Elasticsearch Related Command Line Options
Argument | Description | Default |
---|---|---|
-e , --elasticsearch <URL> | URL to Elasticsearch server | http://localhost:9200 |
-i , --index <NAME> | Index name/prefix | logstash |
--no-index-suffix | Don't add date suffix to index on insert | false |
--ecs | Index is ECS | false |
-k , --no-check-certificate | Disable certificate validation | false |
Notes
- You may need to disable certificate validation if your Elasticsearch has a self-signed TLS certificate.
Elasticsearch Related Environment Variables
Environment Variabale | Description |
---|---|
EVEBOX_ELASTICSEARCH_URL | URL to Elasticsearch server |
EVEBOX_ELASTICSEARCH_USERNAME | Elasticsearch username |
EVEBOX_ELASTICSEARCH_PASSWORD | Elasticsearch password |
Event Retention
Event retention policies when using Elasticsearch must be managed by yourself with Elasticsearch.
EveBox may add event retention for Logstash style Elasticsearch indexes: https://github.com/jasonish/evebox/issues/258.
Utilities
Elasticsearch Information
Description
Display information about the Elasticsearch server including the indices that may contain Suricata events.
Command
evebox elastic info [OPTIONS]
Set Field Limit
Description
By default Elasticsearch will only allow 1000 fields in an index. Use this command to increase it. By default this command will increase the field limit to 5000.
Command
evebox elastic set-field-limit [OPTIONS]