New Suricata set-up + EveBox with Sqlite - config support please

Hi to the Suricata Community,

I have recently installed Suricata on a home computer running Fedora 39. It is currently set up in IDS mode and it works fine.

Via this forum, I learned about EveBox which, with Sqlite, would perfectly help me to view of Suricata logs. However, I can’t see these logs in the browser yet (localhost:5636 or 0.0.0.0:5636).
Would it be possible to get some kind of walk through please, especially about the config files to use with Sqlite ?

At this stage, the status is :

• Fedora 39 updated with Sqlite installed
• Suricata 7.0.4 installed, enabled, started and producing logs
• EveBox 0.18.0 installed, enabled
• I tried to run these commands seen on another [post] to start the Evebox server (How to view logs on evebox) in this forum :

mkdir ~/.config/evebox
evebox server --datastore sqlite -D ~/.config/evebox --host 0.0.0.0 /var/log/suricata/eve.json

But I am not quite sure what to do next or how to properly configure evebox.yaml and agent.yaml ? Just replaced elasticsearch in evebox.yaml by sqlite.

Having run the command…

systemctl status evebox

…the output shows that, at the moment, Evebox is looking at both ElasticSearch and Sqlite :-/

Mar 24 14:29:07 fedora systemd[1]: Started evebox.service - EveBox Server.
Mar 24 14:29:07 fedora (evebox)[302627]: evebox.service: Referenced but unset environment variable evaluates to an empty string: ELASTICSEARCH_URL, EVEBOX_OPTS
Mar 24 14:29:07 fedora evebox[302627]: 2024-03-24 14:29:07 INFO evebox::version: This is EveBox version 0.18.0 (rev: 16bce96); x86_64-unknown-linux-musl
Mar 24 14:29:07 fedora evebox[302627]: 2024-03-24 14:29:07 INFO evebox::server::main: Using data directory /var/lib/evebox
Mar 24 14:29:07 fedora evebox[302627]: thread ‘main’ panicked at /home/jason/projects/evebox/main/src/server/main.rs:552:64:
Mar 24 14:29:07 fedora evebox[302627]: called Result::unwrap() on an Err value: SqliteFailure(Error { code: CannotOpen, extended_code: 14 }, Some("unable to open database file: /var/lib>
Mar 24 14:29:07 fedora evebox[302627]: note: run with RUST_BACKTRACE=1 environment variable to display a backtrace
Mar 24 14:29:07 fedora systemd[1]: evebox.service: Main process exited, code=exited, status=101/n/a
Mar 24 14:29:07 fedora systemd[1]: evebox.service: Failed with result ‘exit-code’.

Please also note that, initially, I had tried to apply in evebox.yaml the configuration for Sqlite as outlined here, with data-directory: /var/lib/evebox. After finding the above post, I updated the config file, stopped and started Evebox again but the output of systemctl shows that /var/lib/evebox is still being used as data directory.

Here is the current status. Could you please advise ?

Many thanks,

Alex

There are still many assumptions in the defaults for Elasticsearch that I’m thinking I should include a configuration file for a simple SQLite setup, anyways, using the RPM and systemd, the configuration file is still the best way to go.

My /etc/evebox/evebox.yaml:

http:
  host: "0.0.0.0"

database:
  type: sqlite

input:
  enabled: true
  paths:
    - "/var/log/suricata/eve.json"

If you are also using the Suricata RPMs and systemd, note that Suricata runs as the suricata user, while EveBox runs as the evebox user. The easiest way to deal with this is to add evebox to the suricata group in /etc/group and then restart EveBox - this will give EveBox read access to the log files.

Assuming EveBox and Suricata are on the same machine, you don’t need to to use the agent here…

Also note that TLS (using a self-signed cert) and authentication are enabled by default. You’ll want to systemctl status evebox early on first start to catch the auto-generated admin password. If you missed you, can safely delete /var/lib/evebox/config.sqlite and restart.

If you were playing with EveBox on the command line and starting as root, its possible the permissions to for /var/lib/evebox got messed up, to fix:

chown -R evebox:evebox /var/lib/evebox

Please let me know how it goes. I do need to make some simpler getting started docs for using SQLite and running from systemd.

Hi Jason @ish

Many thanks for your response, much appreciated!

I have followed the above steps and now, Evebox can be both enabled and started, that’s great

There is still an issue with the web interface, that doesn’t display the expected outputs yet - I may have missed something basic or there might be some kind of issue with the data feed or retention too (please see below).

What has been done :

• Evebox uninstalled and reinstalled (to have everything clean)
• evebox user added to suricata group
• checked permissions in /etc/evebox & /var/lib/evebox (permissions in /etc/evebox are aligned with those in /etc/suricata)
• /etc/evebox.yaml configured with the Sqlite config
• enabled and started Evebox
• fetched Evebox admin passwd
• started Firefox browser with 0.0.0.0:5636 : getting something but it is incomplete (please see attached screenshot)
• checked systemctl status evebox, and get the following output:

Mar 25 12:58:31 fedora evebox[132879]: 2024-03-25 12:58:31 INFO evebox::sqlite::retention: Events purged in last 60s: 0
Mar 25 12:59:31 fedora evebox[132879]: 2024-03-25 12:59:31 INFO evebox::sqlite::retention: Events purged in last 60s: 0
Mar 25 13:00:31 fedora evebox[132879]: 2024-03-25 13:00:31 INFO evebox::sqlite::retention: Events purged in last 60s: 0

• tried to update /etc/evebox.yaml with parameters for data retention & max db size. Evebox stopped, started again with new passwd, The tentative configuration file looks now as follows :

http:
  host: "0.0.0.0"

database:
  type: sqlite

input:
  enabled: true
  paths:
    - "/var/log/suricata/eve.json"

retention:
    # Only keep events for the past 7 days.
    # - SQLite only
    # - Default 7 days
    # - Set to 0 to disable
    days: 7

    # Maximum database size.
    # - SQLite only
    # - No default
    size: "20 GB"

• still getting the same messages as above : “Events purged”

I checked Suricata (sudo tail /var/log/suricata/eve.json) and events get logged in.

Could you please advise ?

Many thanks,

Alex

Screenshot from 2024-03-25 12-48-59818×656 18.7 KB

Try https://127.0.0.1:5636. HTTPS is enabled by default, but because of the non-standard port, the browser needs to be told this.

Hi @ish

Many thanks for your response !

Sorry for getting back to you after a week, but I didn’t get the notification when you replied, only saw it in the weekly summary email :-/

That’s really cool now, I can see the reports/visualizations and that’s very helpful : thanks very much for your support and for developing Evebox too!

Have a great day,

Alex