EveBox on Security Onion ( Docker)

[nimaforoughi]

I am running a security onion 2.3.91 vm and it is a secured one on dockers. How can I integrate or add the evebox to the existing elasticsearch?

[jasonish]

I'm not familar enough with Security Onion to really say. But essentially find the hostname where Elasticsearch answers on port 9200 and point EveBox there..

evebox server -e http://localhost:9200

if its an https URL, you might have to add -k to ignore the self-signed certification validation error.

If it requires a username and password you'll have to create a small configuration file:

database:
  type: elasticsearch
  url: https://localhost:9200
  username: elasticusername
  password: elasticpassword

hopefull that gets you a start.

[nimaforoughi]

I made a config file as test.yaml: database: type: elasticsearch url: https://192.168.0.80:9200 username: **** password: ****

docker swarm init docker swarm join --token SWMTKN-1-2n99yejsu5m3m76d52dohvr142d9ck0mupuloeub25fp2gnakg-24b7rrtgzgbkg9qdvrct3orfc 192.168.0.80:2377 docker config create test test.yaml docker config ls docker service create --name evebox --config test jasonish/evebox:latest

[root@securityonion evebox-0.14.0]# docker service create --name evebox --config test jasonish/evebox:latest q4f0z1cq4f4iz6vi8ygaj87c1 overall progress: 0 out of 1 tasks 1/1: ready [======================================> ] verify: Detected task failure

It is stuck here and nothing happens.

[jasonish]

Can you get the evebox output? It should display why it can't connect to Elastic.

[jasonish]

Also see https://github.com/jasonish/evebox/issues/148. You'll likely need to use a host name in the url, not an IP address of the cert is self signed.

[jasonish]

I did manage to connect EveBox to Elasticsearch on Security Onion but its still not usable. EveBox supports Suricata events added to Elasticsearch with Logstash, Filebeat, and Filebeat with the Suricata modules which uses Elastic Common Schema (ECS), none of which match the schema that Security Onion uses.

[nimaforoughi]

Thank you for putting time. At least I know at the moment there is no way and wont put much more time on it. Hoping to support in future versions

[nimaforoughi]

Anyways, Can you please share the config file and the commands you used for the connection?

[jasonish]

Anyways, Can you please share the config file and the commands you used for the connection?

My configuration file is:

database:
  type: elasticsearch
  elasticsearch:
    username: username@domain.com
    password: password

And my Docker command was...

docker run -v $(pwd)/evebox.yaml:/etc/evebox/evebox.yaml --rm -it --net=host jasonish/evebox:master -k -e https://localhost:9200 -c /etc/evebox/evebox.yaml --ecs -i securityonion -v

On startup you should see something like:

2022-01-08 05:45:10  INFO evebox::version: This is EveBox version 0.15.0-dev (rev: 3cd98b7); x86_64-unknown-linux-musl
2022-01-08 05:45:10 DEBUG evebox::server::main: Certificate checks disabled: true
2022-01-08 05:45:11  INFO evebox::server::main: Found Elasticsearch version 7.16.2 at https://localhost:9200
2022-01-08 05:45:11 DEBUG evebox::server::main: Elasticsearch base index: securityonion
2022-01-08 05:45:11 DEBUG evebox::server::main: Elasticsearch search index pattern: securityonion-*
2022-01-08 05:45:11 DEBUG evebox::server::main: Elasticsearch ECS mode: true
2022-01-08 05:45:11  INFO evebox::server::main: Using temporary in-memory configuration database
2022-01-08 05:45:11  INFO refinery_core::traits: schema history table is empty, going to apply all migrations    
2022-01-08 05:45:11  INFO refinery_core::traits::sync: applying migration: V1__Initial    
2022-01-08 05:45:11  INFO evebox::server::main: Starting server on 0.0.0.0:5636, tls=false

I used my master branch as it has some fixes for ECS. but that does't match with SO's idea of ECS at the moment.

[MANN0M1]

Is there a way to install Evebox on the Raspberry Pi 4, Aarch64?

[jasonish]

Yes, there are arm64/aarch64 binaries in the download directories. The Docker containers will also work on arm64.

[jasonish]

Closing. New issue for Security Onion schema support is at https://github.com/jasonish/evebox/issues/190.