search

jasonish / evebox

Web Based Event Viewer (GUI) for Suricata EVE Events in Elastic Search
https://evebox.org/
MIT License
429 stars 67 forks source link

No Events Showing #136

Closed soca-cameron closed 4 years ago

soca-cameron commented 4 years ago

Hello,

Today I was attempting to install evebox and got quite far into the process, and just when I thought I had completed it, I can reach evebox, and see the dashboard, but there are no events in there, no population of any kind.

The way I started evebox was by using this command: evebox server --host {evebox host ip} --elasticsearch http://{es host ip}:9200 --index filebeat-*

I have edited the evebox config in /etc/evebox editing only, database type to be elasticsearch, and the elasticsearch connection details below as well as disabling certificate check as it is an internal only project with no TLS/SSL.

I thought that evebox would run if I had an existing elasticsearch instance, and has successfully connected/ configured as shown below: ########################################################################## systemctl status evebox ########################################################################## evebox server --host 192.168.225.157 --elasticsearch http://{my es ip}:9200 --index filebeat- 2020-06-16 10:52:02 (server.go:163) -- This is EveBox Server version 0.11.1 (rev: 4d1b355); os=linux, arch=amd64 2020-06-16 10:52:02 (server.go:252) -- Self test: found embedded index.html. 2020-06-16 10:52:02 (geoip-service.go:44) -- Failed to initialize geoip database: no database files found 2020-06-16 10:52:02 (configdb.go:52) -- Using in-memory configuration DB. 2020-06-16 10:52:02 (migrator.go:79) -- Updating database to version 0. 2020-06-16 10:52:02 (migrator.go:79) -- Updating database to version 1. 2020-06-16 10:52:02 (server.go:305) -- Configuring ElasticSearch datastore 2020-06-16 10:52:02 (server.go:306) -- Using ElasticSearch URL http://{my es ip}:9200 2020-06-16 10:52:02 (server.go:308) -- Using ElasticSearch Index filebeat-. 2020-06-16 10:52:02 (elasticsearch.go:109) -- Event base index: filebeat 2020-06-16 10:52:02 (elasticsearch.go:110) -- Event search index: filebeat-* 2020-06-16 10:52:02 (server.go:338) -- Connected to Elastic Search (version: 7.7.0) 2020-06-16 10:52:02 (elasticsearch.go:171) -- WARNING: Filebeat index detected: EveBox does not work well with Filebeat indexes 2020-06-16 10:52:02 (server.go:131) -- Session reaper started 2020-06-16 10:52:02 (server.go:165) -- Authentication disabled. 2020-06-16 10:52:02 (server.go:261) -- Listening on [{evebox host ip}]:5636 2020-06-16 10:52:03 (anonymous.go:64) -- Logging in anonymous user {anonymous} from 192.168.1.196:49821 ########################################################################## Any help with this issue would be massively appreciated, thank you.

jasonish commented 4 years ago

Are you suing the Suricata output plugin for Filebeat? That plugin reformats the events into Elastic's ECS format which EveBox doesn't support yet.

jasonish commented 4 years ago

Closed due to inactivity.