The EveBox “agent” is a tool for sending eve events directly to EveBox without the need for tools like Filebeat and/or Logstash. Events sent with the agent are handled by the EveBox server and stored in the database by the server.
Command Line Options¶
Usage of agent: -c, --config string Configuration file --server string EveBox server URL --stdout Print events to stdout -v, --verbose Be more verbose
# EveBox Agent configuration file - subject to change. # URL to the EveBox server. server: "http://localhost:5636" # Directory to store bookmark information. This is optional and not # required if the agent has write access to the directory of the log # file being reader. #bookmark-directory: "/var/lib/evebox" # If the EveBox server is running behind TLS and the certificate is # self signed, certificate validation can be disabled. #disable-certificate-check: true # Path to log file. Only a single path is allowed at this time. input: filename: "/var/log/suricata/eve.json" # Custom fields to add to the event. Only top level fields can be set, # and only simple values (string, integer) can be set. custom-fields: # Set a host field. This will override the "host" field set by # Suricata if the Suricata "sensor-name" option is set. #host: "evebox-agent"