kerf07
commented
5 months ago i started evebox server with -vvv and, after refresh page in browser, saw "evebox::sqlite::eventrepo::alerts: Rows=0, Elapsed=1 ms" in logs
Closed kerf07 closed 5 months ago
kerf07
commented
5 months ago i started evebox server with -vvv and, after refresh page in browser, saw "evebox::sqlite::eventrepo::alerts: Rows=0, Elapsed=1 ms" in logs
jasonish
commented
5 months ago This is very much how I use EveBox myself. With -vvv on the agent and server you should see something like:
2024-02-03 17:14:14 TRACE evebox::agent::importer: Committing 3 events (bytes: 2693)
2024-02-03 17:14:14 TRACE evebox::bookmark: Writing bookmark /data/eb0e870c1998c30087f3be2ea20af6e0.bookmark2024-02-03 17:15:19 DEBUG evebox::sqlite::importer: Committed 3 events in 2 msAre you running the server and the agent on the same machine? If so, you could drop the agent and just modify the server unit file, or the server configuration file and have it consume the logs directly.
See input at https://evebox.org/docs/server/configuration
Might at least help with figuring out whats going on.
I assume the version is 0.17.2?
kerf07
commented
5 months ago Thank you for your frequent answer! And for advice to use only server (without agent). While reading events.sqlite I mentioned that all records has "stats" type. And then I realized that for some reason my Suricata didn't detect any alerts. Further research has shown that iptables rules, responsible for the work of IPS mode of Suricata, disappeared. I set them back, and working capacity of Suricata and Evebox has been restored.
I installed Evebox with sqlite on my server with suricata. it seems to run correct, without errors.
it also collect events id DB
But doesn't show events in interface
And i can't understand the reason