The EveBox “agent” is a tool for sending eve events directly to an EveBox server without the need for tools like Filebeat and/or Logstash. Events sent with the agent are handled by the EveBox server and stored in the database by the server.
Command Line Only¶
If your EveBox Server is setup without any authentication all options can be provided on the command line. Example:
evebox agent --server http://hostname:5636 /var/log/suricata/eve*.json
This will process all eve log files in
/var/log/suricata and send them to
an EveBox Server hosted over at
This will store bookmark information (the last location processed in each log file) in the current directory. This is OK if you will always be lanching EveBox Agent from the same working directory, however it is recommended to use the -D option to set the data directory to a consistent location.
With a Configuration File¶
If you need options such as a username/password for the EveBox server, want to add additional fields to the Suricata EVE records or add the rules to the EVE records it is recommended to use a configuration file.
A starter configuration file can be created with the following command:
evebox print agent.yaml
You may want to redirect this to a file:
evebox print agent.yaml > agent.yaml
Then the EveBox can be started like:
evebox agent -c /path/to/agent.yaml
By default the EveBox Agent will first look in the current directory for
Command Line Options¶
Path to configuration file. If not provided the agent will look for a configuration named in
agent.yamlin the current directory then look for
Provide a directory where the Agent can store data and other state information. There is no default, but providing a directory like
/var/lib/evebox/agentand making sure that directory is writable by the agent is highly recommended.
Enables MaxMind GeoIP lookups and will add GeoIP information for events. This depends on the GeoIP database being up to date and available in standard locations.
The EveBox server to connect to. Specified like
https://my-evebox-server.domain.com:5636. Note that if using
https, the URL must use a hostname and not an IP address.
Prints events to stdout. Useful for debugging.
Specify once for debug level logging, and 2 or more times for trace level logging.
Any filenames provided on the command line will be read by the Agent and sent to the EveBox server. If filenames are specified on the command the input files in the configuration file will be ignored.
Some configuration files can be provided with environment variables. The order or precedence is:
- Command line arguments
- Environment variables
- Configuration file
A default configuration can be generated with the command:
evebox print agent.yaml
Default Configuration File¶
# EveBox Agent configuration file - subject to change. # Server information. server: url: http://10.16.1.10:5636 # Username and password. Note that at this time even with # authentication enabled on the EveBox server, agents can still # submit events without authenticating. You will need to supply and # username and password if running behind a reverse proxy # implementing authentication. #username: username #password: password # Directory to store data and state information required by the agent. This # isn't always required. If the agent has write access to the log directory it # can store bookmark information along side the eve log files. #data-directory: "/var/lib/evebox" # If the EveBox server is running behind TLS and the certificate is # self signed, certificate validation can be disabled. #disable-certificate-check: true # Path to log file. Only a single path is allowed at this time. input: #filename: "/var/log/suricata/eve.json" # The filename parameter can also contain a wildcard. filename: "/var/log/suricata/eve*.json" # If multiple paths are required, use "paths" instead of filename. #paths: # - "/var/log/suricata/sensor1/eve.json" # - "/var/log/suricata/sensor2/eve.*.json" # Additional fields that will be added to each event. This is currently limited # to strings at this time. additional-fields: #sensor-name: "my super secret sensor" # The event reader can also add the rule to alert events. Do not enable # if you already have Suricata logging the rule. #rules: # - /var/lib/suricata/rules/*.rules # - /usr/share/suricata/rules/*.rules # - /etc/suricata/rules/*.rules