evebox v0.17 releases: Web Based Event Viewer for Suricata EVE Events
EveBox
EveBox is a web-based Suricata “eve” event viewer for Elastic Search.
Features
- A web-based event viewer with an “Inbox” approach to alert management.
- Event search.
- An agent for sending Suricata events to the EveBox server (but you can use Filebeat/Logstash instead).
- Embedded SQLite for self-contained installations.
Changelog v0.17
- Move to SolidJS for frontend development.
- New special query string keywords:
- @ip: match src_ip or dest_ip, and other fields known to be IP addresses
- @earliest:TIMESTAMP
- @latest:TIMESTAMP
- Feature parity between SQLite and Elasticsearch. This means that some reports were removed, but should come back for both SQLite and Elasticsearch: #95
- [sqlite] Enable event retention by default to a value of 7 days. If an SQLite database becomes too large, it can be hard to trim back down to a usable size without significant downtime.
- Start on a new overview report.
- Fix issue where alert report graph didn’t refresh over time change: #247
- Don’t allow the agent to send a payload larger than the server can receive: #248
- [webapp] Fix broken filter on SIDs search: #251
- [packaging] Add default configuration file: #221
- [webapp] Alert graph failing to refresh on time range change: #247
- [agent] Add Elasticsearch as the submission endpoint for events.
- [elastic-import] Deprecated, use the agent instead.
- [sqlite] Database file size based event retention: #256
- [server] Fix PCAP downloads when authentication fails: #262
Installation && Usage
Copyright 2014-2021 Jason Ish
All rights reserved.
