Hi to the community,
I would like to do 2 things with Suricata & Evebox.
The first one would be to lift & shift a Suricata+Evebox instance, from Ubuntu into another Ubuntu release or another Debian-based distro, in order to continue collecting logs / data for that instance but on the new system.
Currently running :
- Suricata version 7.0.7 / EveBox 0.18.2
- Ubuntu 24.04 LTS
- Suricata and Evebox installed as packages
What I am thinking to do is:
- back-up config files for Suricata & Evebox on the old system
- back-up rules / date for Suricata & Evebox on the old system
The above steps would save:
For Suricata
/etc/suricata
/var/lib/suricata
/var/log/suricata
For Evebox
/etc/evebox
/var/lib/evebox
Then:
- make a new install of the OS (=new system)
- install Suricata + Evebox as packages
- add configuration files (expected to be identical except for the interface name)
- copy the back-up rules and data
- restart Suricata + Evebox services on the new system
Is it possible to make such transition seamlessly ? If yes, any thoughts about these steps please?
The second thing, which is somehow related, would be to view Suricata / Evebox data that have been back-up. Eg. on a system that were Suricata & Evebox are installed, is it possible to plug somehow saved data so that you can browse the content usually seen in Evebox (nb : this doesn’t have to be done simultaneously with live data).
Many thanks,