Operating system and/or Linux distribution : Fedora 40
How you installed Suricata (from source, packages, something else) : package
Evebox version 0.18.2
I am using Suricata + Evebox in IDS mode, and had initially set up the retention time in Evebox to 30 days. I then thought it could be interesting to extend that retention time to 60 days, and have edited the yaml file. Here is the current configuration :
http:
host: "0.0.0.0"
database:
type: sqlite
input:
enabled: true
paths:
- "/var/log/suricata/eve.json"
retention:
# Only keep events for the past 7 days.
# - SQLite only
# - Default 7 days
# - Set to 0 to disable
days: 60
# Maximum database size.
# - SQLite only
# - No default
size: "20 GB"
I may be missing something (simple) again but for some time now, I can only see 7 days of data in Evebox. The size of the Evebox db files in /var/lib doesnāt reach the maximum size (actually far from it). I also tried to revert back to 30 days retention, restart Evebox but I can only see 7 days worth of data, which is the default option.
If possible to continue here please - or should I rather create a new topic ? - incidentally, while the retention time topic was solved, a package install (strongswan-charon-nm) seems to have broken something with Sqlite, preventing thereby Evebox from getting Suricata events.
There is a 10-min inconsistency in the timestamp but the following messages could be noticed in journalctlabout Sqlite and that package:
Sep 13 14:43:21 fedora charon-systemd[162829]: plugin āsqliteā: failed to load - sqlite_plugin_create not found and no plugin file available
Sep 13 14:43:21 fedora swanctl[162851]: plugin āsqliteā: failed to load - sqlite_plugin_create not found and no plugin file available
Having looked at /var/lib/evebox, it seems that events.sqlite and events.sqlite-wal stopped getting updated (in contrast to the timestamp of events.sqlite-shm which got updated).
Actions tried:
uninstall the package strongswan-charon-nm
find information on that Sqlite plugin issue
stop / restart evebox
remove then install sqlite
remove then install evebox (data has been backed up)
On Suricataās end, everything looks line (suricata.log, event.json, etc.) are getting updated.
What could be done please to solve that issue ? If possible too, would it be a way to recover / reload former data (I looked at Evebox -h, there is a mention of Sqlite utilities but donāt know where to find information about these tools, if they can be used for that task).
Iām not sure what the issue is here, but wanted to addā¦
The SQLite support in EveBox is statically embedded into the EveBox binary. Any āsystemā level SQLite library, plugin, etc, as seen in your system logs should have no effect on EveBox.
Something else to try would be to stop EveBox, and Suricata, remove the Suricata log file, then restart both. This might suggest corruption in the Suricata log file, which is unlikely, but could potentially happen due to factors outside of Suricataās control?
HI @ish, many thanks for your response and sorry for getting back to you on the topic with some delay, I was away for a bit and just get back to it.
Thanks for your inputs on Evebox/Sqlite, it gives me more insights. Actually, I didnāt add it to this thread yet but, after my previous message, I also removed both Suricata & Evebox, and reinstalled them. Still, I couldnāt make it work (ie. logs for Suricata flowing in but nothing gets into Evebox).
This points to a system-specific issue indeed as, on another system (Linux box), I could apply the same set up and get Suricata+Evebox up and running in minutes.
And by the way, many thanks again for Evebox, I really like it, itās a cool and powerful product .
but for some time now, I can only see 7 days of data in Evebox. The size of the 
.