Closed bolemo closed 2 years ago
Try:
docker run -it -p 5636:5636 --net elk_default --link elk_elasticsearch_1 jasonish/evebox:master evebox server
If you are using the Filebeat Suricata plugin you will lso need to add --ecs
nd --index filebeat
. You might also need to add '-e http://1.2.3.4:9200` but replace with the IP address that EveBox can reach your Elasticsearch server at.
Note that ECS isn't fully supported as well, if using the Filebeat Suricata module you are using ECS.
Thank you, getting there…
~# docker run -it -p 5636:5636 --net elk_default --link elk_elasticsearch_1 jasonish/evebox:master evebox server --ecs --index filebeat -e https://ELASTIC_IP:9200
2022-07-03 21:47:57 INFO evebox::version: This is EveBox version 0.16.0-dev (rev: fda16bf); x86_64-unknown-linux-musl
2022-07-03 21:47:57 WARN evebox::server::main: Failed to get Elasticsearch version from https://ELASTIC_IP:9200, will try again: Reqwest(reqwest::Error { kind: Request, url: Url { scheme: "https", cannot_be_a_base: false, username: "", password: None, host: Some(Ipv4(ELASTIC_IP)), port: Some(9200), path: "/", query: None, fragment: None }, source: hyper::Error(Connect, Custom { kind: Other, error: "invalid dnsname" }) })
All I need I think is how to communicate the login/pass for Elasticsearch and probably a path to the certificate… I suppose with some ENV variables and a volume pointing to the certs dir?
There are no env vars to automatically pick this stuff up. So you'd want to look at the docs for doing TLS and authentication without Docker, and adapt to docker yourself. You'll need a server configuration file and self certs at the very least.
Yes, I know this isn't ideal. The Docker usage covered in the docs is for the most basic usage, anything other than the most basic usage is left up to the user for now.
Ok, thank you :) That is simple enough ; I will post my procedure here once it will be all set.
Seems I am not able to get evebox in the container to read a configuration file…
Tried this way:
docker run -it -p 5636:5636 -v HOST_PATH_TO_EVEBOX_CONF_DIR:/var/lib/evebox/ -e EVEBOX_DATA_DIRECTORY=/var/lib/evebox --net elk_default --link elk_elasticarch_1 jasonish/evebox:master evebox server -D /var/lib/evebox/
But obviously it does not read the configuration file evebox.yaml I did put in HOST_PATH_TO_EVEBOX_CONF_DIR (aka /var/lib/evebox/evebox.yaml for the binary running inside the container).
I also tried from within the container with -D option, no success…
Try adding: -c /path/to/evebox.yaml
?
Thank you, some progress!
~# docker run -it -p 5636:5636 -v /volume2/docker/elk/evebox/etc/:/var/lib/evebox/ -e EVEBOX_DATA_DIRECTORY=/var/lib/evebox --net elk_default --link elk_elasticsearch_1 jasonish/evebox:master evebox server -D /var/lib/evebox/ -c /var/lib/evebox/evebox.yaml
2022-07-05 20:26:07 INFO evebox::version: This is EveBox version 0.16.0-dev (rev: fda16bf); x86_64-unknown-linux-musl
2022-07-05 20:26:07 INFO evebox::server::main: Found Elasticsearch version 8.3.1 at https://elasticsearch:9200
2022-07-05 20:26:07 INFO evebox::server::main: Configuration database filename: "/var/lib/evebox/config.sqlite"
2022-07-05 20:26:07 INFO refinery_core::traits: current version: 1
2022-07-05 20:26:07 INFO refinery_core::traits::sync: no migrations to apply
2022-07-05 20:26:07 INFO evebox::server::main: Starting server on 0.0.0.0:5636, tls=false
So it starts and reads the configuration file :)
Now all I need it to tweak so it reads the actual filebeat (I did put the index in the config, but probably wrong).
At least, it starts, so now it is all about config ;)
Forgot the --ecs
all is fine now 👍
Hello,
I have Suricata 6.0.5 running on a device, with Filebeat 8.3.1 shipping to the Elasticsearch server.
On the server device device, I have to containers, one with Elasticsearch 8.3.1 and the other with Kibana 8.3.1. All of this is working pretty well as I can see Suricata events and alerts in Kibana [Filebeat Suricata]
Now, I try to add Evebox on the server as a third container (related to my NIDS). I used the following commands (elk_default being the docker network shared by elastic and kibana) :
As a result, I get this output:
And the container exits with code 1
I would suspect some settings have to be given somewhere, but the instructions in the readme ar not mentioning any other step…
Thank you