EveBox 0.25.0 has been released.

This release includes alert navigation fixes and a small refresh button loading state improvement.

Fixed​

• Preserved alert list state when returning from an alert detail page with browser history
• Avoided showing an empty inbox after navigating away from an alert detail page and then going back

Changed​

• Improved refresh button loading state handling

EveBox 0.24.0 has been released with improvements to event filtering, dashboard controls, and SQLite importing.

New and Improved​

• Added a sensor selector to the Events page
• Added support for importing xz-compressed EVE JSON files with the SQLite CLI importer
• Refined the Events page filter controls and layout
• Unified the Dashboard refresh control layout and button styling
• Made --config-directory a global CLI argument

SQLite Import Performance​

The SQLite importer now uses a faster tokenizer for printable payload fields. It extracts ASCII words directly, skips base64 and HTTP response body data where appropriate, and avoids regex overhead during ingest.

Fixes and Maintenance​

This release also lowers the log level for lines not ending with a newline, removes stray SQLite retention debug logging, updates Rust and webapp dependencies, and removes the older rusqlite SQLite importer implementation.

EveBox 0.23.0 has been released.

This is a maintenance release that updates dependencies and keeps the release packages current. There are no major user-facing feature changes in this release.

EveBox 0.22.0 has been released. This release focuses on the stats Dashboard, improving both historical navigation and chart usability.

Stats Dashboard​

The stats Dashboard now supports time ranges, making it easier to review historical Suricata stats instead of only looking at the most recent window.

Highlights include:

• Date navigation for browsing historical time windows
• A visible selected time range in the UI
• Multi-sensor support with per-sensor line graphs
• Additional charts for flow active, flow total, flow spare, and TCP reassembly memory
• Synchronized chart crosshairs for easier comparison across graphs

Performance​

HTTP requests made by the server and agent now use the Hickory DNS resolver. This avoids repeated system resolver lookups, adds internal DNS caching, and can help agents sending larger batches of events.

SQLite sensor queries were also optimized to reduce unnecessary work.

Other Changes​

This release also improves chart color consistency, simplifies the stats API, updates EveBox to Rust edition 2024, and raises the Rust MSRV to 1.85.0.

I'm pleased to announce the release of EveBox 0.21.0, featuring API improvements, performance optimizations, and important fixes.

Key Changes​

API Simplification

• Streamlined API routes by removing version prefix (/api/1/* → /api/*)
• Legacy /api/1/submit endpoint preserved for backward compatibility

Agent Improvements

• Default data directory changed to /var/lib/evebox for systemd service
• Prevents bookmark files from being created in root directory

Performance

• Optimized server processor efficiency by replacing sleep(0) with yield_now()
• Improved CPU utilization and reduced unnecessary spinning

Fixes

• Fixed Debian package installation by ensuring /var/lib/evebox directory creation
• Resolves issues when using EVEBOX_DATA_DIRECTORY=/var/lib/evebox

Technical Updates

• Updated to latest Axum web framework
• Rust MSRV updated to 1.82.0
• Updated dependencies including nom parser v8 and maxminddb

I've just released EveBox 0.20.0. Along with bug fixes, this release brings some new features I've wanted to add for some time:

Auto Archive by Age​

You can now set an age in days to auto-archive alerts. By default this feature is disabled, so you will need to enable it in the Admin settings.

Auto Archive by Filter​

From an alert, you can now choose to have future occurrences of that alert auto-archived.

Currently supported filters include:

• SID
• SID + Sensor
• SID + Source IP + Destination IP
• SID + Source IP + Destination IP + Sensor

I hope to provide a more flexible filtering solution along the lines of email filtering in the near future.

Kibana Inspired Filters​

In an alert view, hover over the signature or an IP address and you will see a + or - to filter for, or filter out alerts. This is a work in progress and will be brought to more pages and dashboards over time.

SQLite Responsiveness Enhancements​

SQLite results can be slow when the dataset is large. To address this a timeout has been added to the Inbox so results will be returned in a timely manner. By default this is 5 seconds.

Also, in the Dashboard aggregations, data will be streamed as its available. So you should see data in the tables right away, and results will be added as they are available.

Just a note that I will no longer being provided MacOS or Linux Arm32 binary builds. EveBox should still fine on these systems, however I don't have the equipment to test myself. Sorry for any inconvenience.