Skip to main content
Version: 0.18.x

Elasticsearch

Using an Elasticsearch stack.

The EveBox Server can display Suricata events from an existing Elasticsearch stack provided that the events are being added with Logstash using minimal schema changes, or Filebeat using the Suricata module.

Example: Elasticsearch with Logstash

evebox server -e http://elasticsearch:9200

This assumes a more or less default Logstash processing Suricata events and sending them directly to Elasticsearch using an index scheme with a prefix of logstash.

A configuration file for such a setup might look like:

database:
type: elasticsearch
elasticsearch:
url: http://elasticsearch:9200

Example: Elasticsearch with Filebeat and Suricata Module

evebox server -e http://elasticsearch:9200 --ecs --index filebeat

A configuration file for such a setup might look like:

database:
type: elasticsearch
elasticsearch:
url: http://elasticsearch:9200
index: filebeat
ecs: true

Without Logstash or Filebeat

EveBox is capable of using Elasticsearch without Logstash or Filebeat by using EveBox, or the EveBox Agent instead.

Log Processing with EveBox Server

The EveBox Server is capable of processing Suricata logs and adding the events to Elasticsearch. This is a Logstash style schema and can be used along side Logstash with Logstash processing events from other Suricata instances.

tip

The EveBox Server can be used to process Suricata eve files and is compatible with Logstash processing Suricata eve files from other Suricata instances.

caution

The EveBox Server (and Agent) cannot be used to process events into a Filebeat style index or datastream. Do not mix EveBox processed events with Filebeat processed events.

Example:

evebox server -e http://elasticsearch:9200 --input /var/log/suricata/eve.json

Or with a configuration file like:

database:
type: elasticsearch
elasticsearch:
url: http://elasticsearch:9200
input:
filename: "/var/log/suricata/eve.json"
ArgumentDescriptionDefault
-e, --elasticsearch <URL>URL to Elasticsearch serverhttp://localhost:9200
-i, --index <NAME>Index name/prefixlogstash
--no-index-suffixDon't add date suffix to index on insertfalse
--ecsIndex is ECSfalse
-k, --no-check-certificateDisable certificate validationfalse

Notes

  • You may need to disable certificate validation if your Elasticsearch has a self-signed TLS certificate.
Environment VariabaleDescription
EVEBOX_ELASTICSEARCH_URLURL to Elasticsearch server
EVEBOX_ELASTICSEARCH_USERNAMEElasticsearch username
EVEBOX_ELASTICSEARCH_PASSWORDElasticsearch password

Event Retention

Event retention policies when using Elasticsearch must be managed by yourself with Elasticsearch.

info

EveBox may add event retention for Logstash style Elasticsearch indexes: https://github.com/jasonish/evebox/issues/258.

Utilities

Elasticsearch Information

Description

Display information about the Elasticsearch server including the indices that may contain Suricata events.

Command

evebox elastic info [OPTIONS]

Set Field Limit

Description

By default Elasticsearch will only allow 1000 fields in an index. Use this command to increase it. By default this command will increase the field limit to 5000.

Command

evebox elastic set-field-limit [OPTIONS]