Hello everyone,
I want to view logs real time on evebox, who similar with evebox please guide me how to use it please.
I want to change ip on evebox but becuase I use ssh If I user 127.0.0.1 I can’t access on my client pc. so please guide me how to use evebox.
Best regards
--help
will give you a bunch of option… You want something like evebox server --host 0.0.0.0
.
host 0.0.0.0 I replace it to my it or I need to set it 0.0.0.0 sir ?
Do run this command on server and open it on client pc right ?
2024-01-25 09:23:08 INFO evebox::version: This is EveBox version 0.17.2 (rev: 536be8d); x86_64-unknown-linux-musl
2024-01-25 09:23:08 WARN evebox::elastic::client: Failed to get Elasticsearch version from http://localhost:9200, will try again: Reqwest(reqwest::Error { kind: Request, url: Url { scheme: "http", cannot_be_a_base: false, username: "", password: None, host: Some(Domain("localhost")), port: Some(9200), path: "//", query: None, fragment: None }, source: hyper::Error(Connect, ConnectError("tcp connect error", Os { code: 111, kind: ConnectionRefused, message: "Connection refused" })) })
I got this error sir how to what is the issue sir?
Sorry about my English
Best regards,
I’ll assume you don’t have Elasticsearch and such up and running already? EveBox was initially built to “just work” in that scenario, but it can also work without Elasticsearch. I’m going to assume you are running EveBox on the same machine as Suricata, so you could do something like:
mkdir ~/.config/evebox
evebox server --datastore sqlite -D ~/.config/evebox --host 0.0.0.0 /var/log/suricata/eve.json
This will use SQLite and consume the Suricata events from /var/log/suricata/eve.json
. You can view the events and alerts with a browser, http://your-server-ip-here:5636.
Authentication, TLS can all be added, but for that, please see the EveBox docs.
Problem solved.
Thank u so much sir.
I just create Elasticsearch but now still not work sir
WARN evebox::elastic::client: Failed to get Elasticsearch version from http://192.168.32.149:9200, will try again: Reqwest(reqwest::Error { kind: Request, url: Url { scheme: "http", cannot_be_a_base: false, username: "", password: None, host: Some(Ipv4(192.168.32.149)), port: Some(9200), path: "//", query: None, fragment: None }, source: hyper::Error(IncompleteMessage) })
I dont know how to configuration user and password
please guide me to solve this issue sir
Best regards.
I don’t know if this is a password error or not, are you able to to connect to Elasticsearch with curl? Something like:
curl http://192.168.32.149:9200
you should see something like:
{
"name" : "575d7a1705db",
"cluster_name" : "docker-cluster",
"cluster_uuid" : "NZvuQbcTREmNacnmf-BI1A",
"version" : {
"number" : "8.12.1",
"build_flavor" : "default",
"build_type" : "docker",
"build_hash" : "6185ba65d27469afabc9bc951cded6c17c21e3f3",
"build_date" : "2024-02-01T13:07:13.727175297Z",
"build_snapshot" : false,
"lucene_version" : "9.9.2",
"minimum_wire_compatibility_version" : "7.17.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "You Know, for Search"
}
I dont see anything
I dont know elastic search work or not but when I check service it’s work normal.
The Empty reply from server
with curl means that EveBox is getting the same, perhaps TLS is enabled, so try:
curl https://192.168.32.149:9200
if that gets you the Elasticsearch info, update your EveBox configuration to use https
.
Looks like your Elasticsearch has TLS and authentication enabled.
You’ll need a small configuration file, evebox.yaml
:
database:
type: elasticsearch
elasticsearch:
url: https://192.168.32.149:9200
disable-certificate-check: true
username: USERNAME
password: PASSWORD
Then start EveBox like evebox server -c ./evebox.yaml
. You’ll have to sort out the username and password yourself, but likely the same you use to log into Kibana.
Do I need to separate server 1 for Elasticsearch and 1 for Evebox (Suricata) or can I do Elasticsearch and Evebox (Suricata) in the same server ? Because now I do it in the same server
My server
Static hostname: Suricata
Icon name: computer-vm
Chassis: vm 🖴
Machine ID: 6d63b5e27ee44b188e8607b0792875a5
Boot ID: 68773ee370594abdbdd3d751d4cc9d66
Virtualization: vmware
Operating System: Debian GNU/Linux 12 (bookworm)
Kernel: Linux 6.1.0-18-amd64
Architecture: x86-64
Hardware Vendor: VMware, Inc.
Hardware Model: VMware Virtual Platform
Firmware Version: 6.00
After I change configuration
I still get this error sir
And here I use curl to see I able to connect to Elasticsearch or not
In your evebox.yaml
, try https
for the URL.
It’s work sir.
Thank you so much.
But I want to ask u about Url evebox. If I want to use to another sever and I ssh to evebox how can I open evebox because now evebox is ip local https://127.0.0.1:5636/#/inbox
how can I change 127.0.0.1:5636 to IP server sir ?
example: https://192.168.19.123:5636/#/inbox
Why after the I restart my server and I got this error sir
Here is my configuration of evebox.yaml
# This is a minimal evebox.yaml for Elasticsearch and SQLite.
http:
## By default, EveBox binds to localhost. Uncomment this line to open
## it up.
#host: "0.0.0.0"
database:
type: elasticsearch
elasticsearch:
url: https://192.168.32.149:9200
disable-certificate-check: true
username: elastic
password: elastic
## If using the Filebeat Suricata module, you'll probably want to
## change the index to "filebeat".
index: logstash
# If using the Filebeat Suricata module this needs to be true.
Set the host to 0.0.0.0
, there is an example in the configuration in you posted just above here.
Probably another instance running. You’ll need to kill that one first.
I just connect Elasticsearch with evebox already sir but I just test
curl http://testmynids.org/uid/index.html
It have logs on suricata on fast.log
But when I check on evebox dashboard it’s doesn’t show anything al try refresh many time but it’s not work
when I check on terminal evebox it’s show like this
on web ui
Why it’s doesn’t show sir ? please help!