Question about the use of Evebox agent

[ngms17]

Hi,

i have 2 different machine in which one of them runs suricata and the other one runs ELK stack. From my understanding, to use the evebox agent i need to install evebox in both machines so that the agent can collect logs from the suricata machine and then send them to the evebox server (server running ELK stack). Is this correct?

Thank you

[jasonish]

That is correct. At this time the evebox agent only connects to the evebox server, where the evebox server will add the events to Elasticsearch, but in a log stash compatible way. If you are using the Filebeat Suricata module, which uses ECS, then I would not recommend using the evebox agent at all, as you'll end up with events in different schemas.

[ngms17]

Ok, thanks for the help.

I noticed that evebox takes a lot of time if i filter for the last 12 or 24 hours. I have a lot of indexed events, but is there any option to tune evebox for better performance?

[jasonish]

It would be useful if you could isolate the issue to Evebox or Elasticsearch. One issue is that you cannot paginate aggregate queries from Elastic, or at least you couldn't in the past, so probably something I should look into again. What this means is that ALL entries are downloaded to the browser, even if only 100 are being shown on the the display, and the "older" ones you can page to were also downloaded and stored in memory.

So for example, if you see "Showing 1-100 of 126" or something like that and it is still take a long time, it could be that your Elasticsearch server may not be powerful enough. If you are seeing something more like "Show 1-100 of 900" then a lot of time is probably spent in the browser, which is more of an Evebox thing which I do not have a solution for yet.