Question 1

How to set up EveBox with SQLite for a standalone Suricata server?

Accepted Answer

Run the command `evebox server -D . --datastore sqlite --input /var/log/suricata/eve.json` to use the embedded SQLite database, suitable for lighter loads on the same machine as Suricata. Note that reporting features are unavailable in this mode, as per the README.

Question 2

EveBox or Kibana for viewing Suricata alerts?

Accepted Answer

EveBox is specialized for Suricata with an inbox-style interface for alert triage, while Kibana offers more general visualization but requires additional configuration. If efficient Suricata alert management is the priority, EveBox is more tailored, but Kibana might be better for broader analytics.

Question 3

Can I use EveBox without Elasticsearch?

Accepted Answer

Yes, EveBox supports an embedded SQLite database for self-contained deployments without Elasticsearch. However, this mode has limitations like no reporting and is only suitable for lower load environments, as mentioned in the documentation.

Question 4

How to forward Suricata events to EveBox using the agent?

Accepted Answer

The EveBox agent can send Suricata events to the server, but the README notes you can also use Logstash instead. Filebeat is not recommended due to compatibility issues, so check the official docs for agent setup details.

Question 5

What are the system requirements for running EveBox?

Accepted Answer

EveBox requires Suricata to generate events and either Elasticsearch version 7+ or an embedded SQLite database. A modern web browser is needed for the interface, and for building from source, Node.js v18+ and Rust are required.

Question 6

Is EveBox suitable for high-traffic network monitoring?

Accepted Answer

With Elasticsearch backend, EveBox can handle higher loads, but the SQLite option is designed for lighter deployments and may not scale well. For high-traffic scenarios, ensure you have a robust Elasticsearch setup.

Evebox

What is Evebox?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions