EveBox 0.26.0 Released
EveBox 0.26.0 has been released with new search filters, backend compatibility checks, update checking, and Elasticsearch/OpenSearch improvements.
Search and Help Improvements
Alert searches can now filter by state directly from the search box:
is:archivedand-is:archivedis:escalatedand-is:escalated
These filters work with SQLite, Elasticsearch, and OpenSearch. The web UI Help dialog also has a new Search Queries tab with examples for common searches, shorthand fields, time filters, alert-state filters, and negation.
SQLite alert searches also gained support for @ip, @mac, @from,
and @after, bringing alert search behavior closer to event search.
Backend and Update Checks
A new evebox test elastic command, also available as
evebox test opensearch, can load a sample of EVE events into a
throwaway index and exercise the queries and mutations EveBox uses in
normal operation. Use --existing to run read-only checks against an
existing backend.
A companion evebox test sqlite command runs equivalent checks against
a throwaway SQLite database.
This release also adds evebox check-update and a Check for
updates button in the web UI About dialog. Update checks are always
user initiated; EveBox does not contact the update server on its own.
Elasticsearch and OpenSearch
On OpenSearch, stats events are now indexed into a separate
{index}-stats-YYYY.MM.DD index instead of the main daily event index.
This keeps large stats.* counter mappings out of the main event
index. Existing stats remain visible and age out normally.
The admin index management page now groups indices by date, shows per-date document and size totals, and deletes whole days at a time for date-based indices.
EveBox now aborts startup on unsupported Elasticsearch/OpenSearch versions. Elasticsearch 7.10 or newer and OpenSearch 2.6.0 or newer are required. Elasticsearch versions older than 8.19.0 now show a warning.
Fixes and Maintenance
- The event JSON view now renders valid JSON
- Deprecated OpenSearch
inlinescript fields are no longer used for tag/history updates - Rust dependencies and Suricata rule parsing support were updated
