jasonish
commented
3 years ago I do something like this on my own router that runs Suricata.
In a directory, say ~/evebox-agent, I have a configuration file like:
input:
filename: /var/log/suricata/eve.jsonshould do.
Then I run Docker like:
cd ~/evebox-agent
docker run --rm -it \
-v $(pwd):/work \
-v /var/log/suricata:/var/log/suricata \
jasonish/evebox:latest \
evebox agent \
-D /work -c /work/config.yaml --server http://elasticsearch:5636I'm using ~/evebox-agent as my configuration directory and my "work" directory where state is stored about the location in the Suricata log file. These could be different of course.
I hope that helps!
Arjdroid
Hello, sorry if this topic was already covered in a previous issue (if it was, please tell me where to find the relevant issue) but I am unable to find it.
I have a Raspberry Pi 3B+ (32-Bit Raspbian armv7, not 64-Bit Ubuntu aarch64) already running the jasonish/suricata (it works great!, thank you) docker container and I wanted to use the docker EveBox Agent to transfer the eve.json data to a separate Debian 10 system (x8664, 4 threads, 4 GB RAM, 100Mbps) which would be running EveBox and ElasticSearch as Docker containers linked to each other. (Sidenote: Can I use the latest version of elasticstack like 7.13.x or a specific older version like 6.0.0?)_
However, I could not find information regarding running EveBox Agent on a Docker Container and on an ARM CPU. I am assuming that I have to use the same jasonish/evebox docker container but give it some different config options for Agent mode but I am not sure that is the correct method.
I would appreciate information to guide me in the correct direction as I am very new to this,
Thanks in advance.