EveBox Agent

The EveBox “agent” is a tool for sending eve events directly to EveBox without the need for tools like Filebeat and/or Logstash. Events sent with the agent are handled by the EveBox server and stored in the database by the server.

Command Line Options

Usage of agent:
  -c, --config string   Configuration file
      --server string   EveBox server URL
      --stdout          Print events to stdout
  -v, --verbose         Be more verbose

Configuration File

# EveBox Agent configuration file - subject to change.

# Server information.
  url: http://localhost:5636

  # Username and password. Note that at this time even with
  # authentication enabled on the EveBox server, agents can still
  # submit events without authenticating. You will need to supply and
  # username and password if running behind a reverse proxy
  # implementing authentication.
  #username: username
  #password: password

# Directory to store bookmark information. This is optional and not
# required if the agent has write access to the directory of the log
# file being reader.
#bookmark-directory: "/var/lib/evebox"

# If the EveBox server is running behind TLS and the certificate is
# self signed, certificate validation can be disabled.
#disable-certificate-check: true

# Path to log file. Only a single path is allowed at this time.
  filename: "/var/log/suricata/eve.json"

  # Custom fields to add to the event. Only top level fields can be set,
  # and only simple values (string, integer) can be set.
    # Set a host field. This will override the "host" field set by
    # Suricata if the Suricata "sensor-name" option is set.
    #host: "evebox-agent"

  # The EveBox agent can add the rule to an event. To do so, list the
  # rule files here.
    - /etc/suricata/rules/*.rules