Skip to main content
Version: 0.19.x

SQLite

The EveBox Server can use SQLite eliminating the need for managing an external database system like Elasticsearch.

SQLite is only suitable for smaller deployments such as demos, training and home installations with only a few Suricata sensors and an event retention time of up to a week. While it can handle higher loads, Elasticsearch will generally be much fast in such cases, but also requires a lot more system resources.

Using SQLite

As Elasticsearch is the default, the EveBox Server needs be to configured to use SQLite on the command or with the configuration file.

For example:

evebox server -D /path/to/data --sqlite

Or with the configuration file:

data-directory: /var/lib/evebox

database:
type: sqlite

# Automatically delete events older than 7 days.
retention:
days: 7

Adding Events

The only way to add events to EveBox SQLite is directly with the server, or using the EveBox Agent.

Event Retention

By default, EveBox when used with SQLite will continuously delete events older than 7 days, but the size of the database file can also be used. This must be configured in the configuration file.

# Database configuration.
database:
type: sqlite

retention:
# Only keep events for the past 7 days.
# - SQLite only
# - Default 7 days
# - Set to 0 to disable
days: 7

# Maximum database size.
# - SQLite only
# - No default
#size: "20 GB"
  • If not otherwise configured, retention.days defaults to 7. To disable date based retention this value must be set to 0. Removing it or commenting it will result in a default of 7 days.
  • Size based retention can be specified in values of MB or GB. By default, size based retention is disabled.
  • It is OK to specified days and size.
danger

As with most SQL databases, it is hard to recover when there is no space left. A future release may force a retention policy based on the amount of free disk space, but as of 0.17.0, no such protection mechanism is in place.

See https://github.com/jasonish/evebox/issues/257.