I'm pleased to announce the release of EveBox 0.21.0, featuring API improvements, performance optimizations, and important fixes.

Key Changes​

API Simplification

• Streamlined API routes by removing version prefix (/api/1/* → /api/*)
• Legacy /api/1/submit endpoint preserved for backward compatibility

Agent Improvements

• Default data directory changed to /var/lib/evebox for systemd service
• Prevents bookmark files from being created in root directory

Performance

• Optimized server processor efficiency by replacing sleep(0) with yield_now()
• Improved CPU utilization and reduced unnecessary spinning

Fixes

• Fixed Debian package installation by ensuring /var/lib/evebox directory creation
• Resolves issues when using EVEBOX_DATA_DIRECTORY=/var/lib/evebox

Technical Updates

• Updated to latest Axum web framework
• Rust MSRV updated to 1.82.0
• Updated dependencies including nom parser v8 and maxminddb

I've just released EveBox 0.20.0. Along with bug fixes, this release brings some new features I've wanted to add for some time:

Auto Archive by Age​

You can now set an age in days to auto-archive alerts. By default this feature is disabled, so you will need to enable it in the Admin settings.

Auto Archive by Filter​

From an alert, you can now choose to have future occurrences of that alert auto-archived.

Currently supported filters include:

• SID
• SID + Sensor
• SID + Source IP + Destination IP
• SID + Source IP + Destination IP + Sensor

I hope to provide a more flexible filtering solution along the lines of email filtering in the near future.

Kibana Inspired Filters​

In an alert view, hover over the signature or an IP address and you will see a + or - to filter for, or filter out alerts. This is a work in progress and will be brought to more pages and dashboards over time.

SQLite Responsiveness Enhancements​

SQLite results can be slow when the dataset is large. To address this a timeout has been added to the Inbox so results will be returned in a timely manner. By default this is 5 seconds.

Also, in the Dashboard aggregations, data will be streamed as its available. So you should see data in the tables right away, and results will be added as they are available.

Just a note that I will no longer being provided MacOS or Linux Arm32 binary builds. EveBox should still fine on these systems, however I don't have the equipment to test myself. Sorry for any inconvenience.