Simply not working

[bolemo]

Hello,

I have Suricata 6.0.5 running on a device, with Filebeat 8.3.1 shipping to the Elasticsearch server.

On the server device device, I have to containers, one with Elasticsearch 8.3.1 and the other with Kibana 8.3.1. All of this is working pretty well as I can see Suricata events and alerts in Kibana [Filebeat Suricata]

Now, I try to add Evebox on the server as a third container (related to my NIDS). I used the following commands (elk_default being the docker network shared by elastic and kibana) :

docker pull jasonish/evebox:latest
docker run -it -p 5636:5636 --net elk_default --link elk_elasticsearch_1 jasonish/evebox:latest

As a result, I get this output:

EveBox 0.14.0

USAGE:
    EveBox [FLAGS] [OPTIONS] [SUBCOMMAND]

FLAGS:
    -h, --help       Prints help information
    -V, --version    Prints version information
    -v, --verbose    Increase verbosity

OPTIONS:
    -D, --data-directory <DIR>    Data directory

SUBCOMMANDS:
    agent             EveBox Agent
    config            
    elastic-debug     
    elastic-import    Import to Elastic Search
    help              Prints this message or the help of the given subcommand(s)
    oneshot           Import a single eve.json and review in EveBox
    server            EveBox Server
    sqlite-import     Import to SQLite
    version           Display version

And the container exits with code 1

I would suspect some settings have to be given somewhere, but the instructions in the readme ar not mentioning any other step…

Thank you

[jasonish]

Try:

docker run -it -p 5636:5636 --net elk_default --link elk_elasticsearch_1 jasonish/evebox:master evebox server

If you are using the Filebeat Suricata plugin you will lso need to add --ecs nd --index filebeat. You might also need to add '-e http://1.2.3.4:9200` but replace with the IP address that EveBox can reach your Elasticsearch server at.

Note that ECS isn't fully supported as well, if using the Filebeat Suricata module you are using ECS.

[bolemo]

Thank you, getting there…

~# docker run -it -p 5636:5636 --net elk_default --link elk_elasticsearch_1 jasonish/evebox:master evebox server --ecs --index filebeat -e https://ELASTIC_IP:9200
2022-07-03 21:47:57  INFO evebox::version: This is EveBox version 0.16.0-dev (rev: fda16bf); x86_64-unknown-linux-musl
2022-07-03 21:47:57  WARN evebox::server::main: Failed to get Elasticsearch version from https://ELASTIC_IP:9200, will try again: Reqwest(reqwest::Error { kind: Request, url: Url { scheme: "https", cannot_be_a_base: false, username: "", password: None, host: Some(Ipv4(ELASTIC_IP)), port: Some(9200), path: "/", query: None, fragment: None }, source: hyper::Error(Connect, Custom { kind: Other, error: "invalid dnsname" }) })

All I need I think is how to communicate the login/pass for Elasticsearch and probably a path to the certificate… I suppose with some ENV variables and a volume pointing to the certs dir?

[jasonish]

There are no env vars to automatically pick this stuff up. So you'd want to look at the docs for doing TLS and authentication without Docker, and adapt to docker yourself. You'll need a server configuration file and self certs at the very least.

Yes, I know this isn't ideal. The Docker usage covered in the docs is for the most basic usage, anything other than the most basic usage is left up to the user for now.

[bolemo]

Ok, thank you :) That is simple enough ; I will post my procedure here once it will be all set.

[bolemo]

Seems I am not able to get evebox in the container to read a configuration file… Tried this way: docker run -it -p 5636:5636 -v HOST_PATH_TO_EVEBOX_CONF_DIR:/var/lib/evebox/ -e EVEBOX_DATA_DIRECTORY=/var/lib/evebox --net elk_default --link elk_elasticarch_1 jasonish/evebox:master evebox server -D /var/lib/evebox/ But obviously it does not read the configuration file evebox.yaml I did put in HOST_PATH_TO_EVEBOX_CONF_DIR (aka /var/lib/evebox/evebox.yaml for the binary running inside the container).

I also tried from within the container with -D option, no success…

[jasonish]

Try adding: -c /path/to/evebox.yaml?

[bolemo]

Thank you, some progress!

~# docker run -it -p 5636:5636 -v /volume2/docker/elk/evebox/etc/:/var/lib/evebox/ -e EVEBOX_DATA_DIRECTORY=/var/lib/evebox --net elk_default --link elk_elasticsearch_1 jasonish/evebox:master evebox server -D /var/lib/evebox/ -c /var/lib/evebox/evebox.yaml
2022-07-05 20:26:07  INFO evebox::version: This is EveBox version 0.16.0-dev (rev: fda16bf); x86_64-unknown-linux-musl
2022-07-05 20:26:07  INFO evebox::server::main: Found Elasticsearch version 8.3.1 at https://elasticsearch:9200
2022-07-05 20:26:07  INFO evebox::server::main: Configuration database filename: "/var/lib/evebox/config.sqlite"
2022-07-05 20:26:07  INFO refinery_core::traits: current version: 1    
2022-07-05 20:26:07  INFO refinery_core::traits::sync: no migrations to apply    
2022-07-05 20:26:07  INFO evebox::server::main: Starting server on 0.0.0.0:5636, tls=false

So it starts and reads the configuration file :)

Now all I need it to tweak so it reads the actual filebeat (I did put the index in the config, but probably wrong).

At least, it starts, so now it is all about config ;)

[bolemo]

Forgot the --ecs all is fine now 👍