EveBox: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 6: | Zeile 6: | ||
*Liest direkt die Datei /var/log/suricata/eve.json | *Liest direkt die Datei /var/log/suricata/eve.json | ||
| − | = | + | =Installation= |
| − | * | + | *sudo apt-get install curl |
| − | *apt | + | *curl -fsSL https://evebox.org/files/GPG-KEY-evebox -o /etc/apt/keyrings/evebox.asc |
| + | *echo "deb [signed-by=/etc/apt/keyrings/evebox.asc] https://evebox.org/files/debian stable main" | sudo tee /etc/apt/sources.list.d/evebox.list | ||
| + | *sudo apt-get update | ||
| + | *sudo apt-get install evebox | ||
=Konfiguration= | =Konfiguration= | ||
Version vom 24. April 2025, 18:09 Uhr
EveBox als Weboberfläche für Suricata (Docker, lokal mit SQLite)
- Ziel
- Einfache grafische Oberfläche für Suricata-Alerts via Webbrowser
- Kein Elasticsearch, keine externe DB – rein lokal via Docker
- Liest direkt die Datei /var/log/suricata/eve.json
Installation
- sudo apt-get install curl
- curl -fsSL https://evebox.org/files/GPG-KEY-evebox -o /etc/apt/keyrings/evebox.asc
- echo "deb [signed-by=/etc/apt/keyrings/evebox.asc] https://evebox.org/files/debian stable main" | sudo tee /etc/apt/sources.list.d/evebox.list
- sudo apt-get update
- sudo apt-get install evebox
Konfiguration
- vi /opt/evebox/docker-compose.yml
services:
evebox:
image: jasonish/evebox:latest
container_name: evebox
restart: unless-stopped
volumes:
- /var/log/suricata:/var/log/suricata:ro
ports:
- "5636:5636"
command: ["evebox", "server", "--datastore", "sqlite", "--input", "/var/log/suricata/eve.json"]
Start
- cd /opt/evebox
- docker-compose up -d
Zugriff
- Weboberfläche im Browser öffnen: https://localhost:5636
Suricata-Konfiguration für eve.json aktivieren
- /etc/suricata/suricata.yaml*
outputs:
- eve-log:
enabled: yes
filetype: regular
filename: eve.json
types:
- alert
- http
- dns
- tls
- flow
- ssh
- stats
- Suricata danach neu starten:
- systemctl restart suricata
- oder: suricata -D -q 0 -c /etc/suricata/suricata.yaml