April 3, 2017
The latest builds of EveBox support an embedded SQLite database that allow it to be used without Elastic Search for lighter loads. The SQLite support was added to support two use cases that may be of interest to some.
One shot mode is the loading of a single eve.json into a temporary database and allowing the user to work with it, then cleaning up on exit. Probably most useful for loading up the Suricata log file after running over a PCAP, or just trying out EveBox for the first time. Example usage:
./evebox oneshot /path/to/eve.json
If all goes well your browser should eventually open up and display the EveBox Inbox.
For lack of a better name, self contained mode is the usage of EveBox without any external dependencies. This is suitable for lighter loads when running EveBox on the same machine that is running Suricata. Example usage:
./evebox server --datastore sqlite --input /var/log/suricata/eve.log
The idea here is just a simple way to get a GUI for your Suricata events without messing around with any configuration or databases. However, you may want to create a configuration file and setup a retention period to keep your SQLite database size in check (more documentation coming soon). If you have multiple Suricata instances, and believe the load to be light, you can configure an EveBox agent to send events to the SQLite enabled server, but your mileage will vary as you add more load.
If using Elastic Search the agent and/or the --input option may still be interesting as alternatives for shipping eve logs to Elastic Search, and open up future options for dealing with the real time event feeds from your Suricata instances. Download here.