Running

Using an Existing ELK Stack

Assuming you already have an existing working Suricata, Elastic Search, Logstash and Kibana stack working, then EveBox should just work if pointed at your Elastic Search server.

Example:

evebox -v -e http://elasticsearch:9200

This assumes the use of the default Logstash index logstash-{YYYY.MM.DD}. If another index name is being used it must be specified with the -i option:

evebox -v -e http://elasticsearch:9200 -i indexprefix

Using the Embedded SQLite Database

If installing Elastic Search is not an option the embedded SQLite database can be used instead:

evebox -v -D . --datastore sqlite --input /var/log/suricata/eve.json

Note

Note the -D parameter that tells EveBox where to store data files such as the file for the SQLite database. While using the current directory, or a temp directory is OK for testing, you may want to use something like /var/lib/evebox for long term use.