# EveBox Server configuration file.
# Path to the data directory. This directory holds data for EveBox
# such as the configuration/user/authentication database, and SQLite
# database files if the sqlite database is being used. It needs to be
# writable by the user EveBox is running as. If not set it will
# default to the current directory.
#data-directory: /var/lib/evebox
http:
tls:
# Enable or disable TLS.
# env: EVEBOX_HTTP_TLS_ENABLED
enabled: false
# Path to certificate PEM file.
# env: EVEBOX_HTTP_TLS_CERTIFICATE
#certificate: /path/to/cert.pem
# Path to key PEM file.
# env: EVEBOX_HTTP_TLS_KEY
#key: /path/to/key.pem
# If behind a reverse proxy set to true so the proper IP address of
# clients can be logged.
# Default: false
# env: EVEBOX_HTTP_REVERSE_PROXY
#reverse-proxy: true
# Enable HTTP request logging. This can be very verbose.
# Default: false
# env: EVEBOX_HTTP_REQUEST_LOGGING
#request-logging: true
# Database configuration.
database:
# Database type: elasticsearch, sqlite.
type: postgresql
elasticsearch:
url: http://10.16.1.10:9200
index: logstash
disable-certificate-check: false
# The keyword to use for terms query. EveBox will do its best to
# figure this out on its own, but if you need to override it, you
# can do so here. The usual values are:
# raw -> Logstash / Elastic Search < 5.
# keyword -> Logstash / Elastic Search >= 5.
# "" -> Filebeat / Elastic Search >= 5.
# Note that a quoted empty string is required to force an empty string.
#keyword: ""
#username: username
#password: password
postgresql:
# If managed, EveBox will manage its own PostgreSQL instance using
# PostgreSQL found on the path.
managed: true
# If not managed...
# PostgreSQL hostname (default: localhost; env: PGHOST)
#host:
# PostgreSQL port (default: 5432; env: PGPORT)
#port:
# Database name (default: evebox; env: PGDATABASE)
#database:
# Database user (default: evebox; env: PGUSER)
#user:
# Password (default: ""; env: PGPASSWORD)
#password:
# Retention period in days. 0 or comment out to disable.
# Currently only applies to SQLite, not Elastic Search.
#retention-period: 3
authentication:
# Default: false
# env: EVEBOX_AUTHENTICATION_REQUIRED
required: no
# Type of login required:
# - username -- just a username...
# - usernamepassword -- username and password
# env: EVEBOX_AUTHENTICATION_TYPE
type: usernamepassword
# A little message that is displayed in the login dialog.
#login-message: Some message here...
# The server can process a log file, eliminating the need for a
# separate agent process if on the same machine.
input:
# Toggle to disable the input without commenting it out.
enabled: false
# Filename to read.
filename: "/var/log/suricata/eve.json"
# Bookmark directory, as with the agent if the server can't write to
# the directory where the above log file is, you need to provide
# this.
#bookmark-directory: /var/lib/evebox
# Custom fields to add to the event. Only top level fields can be set,
# and only simple values (string, integer) can be set.
custom-fields:
# Set a host field. This will override the "host" field set by
# Suricata if the Suricata "sensor-name" option is set.
#host: "evebox-server"
# The event reader can also add the rule to alert events. Do not enable
# if you already have Suricata logging the rule.
#rules:
# - /var/lib/suricata/rules/*.rules
# - /usr/share/suricata/rules/*.rules
# - /etc/suricata/rules/*.rules
geoip:
disabled: false
# Path to the MaxMind database. This must be the version 2 database
# (http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz)
# File must be ungzipped.
#
# This is temporary, EveBox will eventually support downloading and
# updateing the geo database itself.
database: /etc/evebox/GeoLite2-City.mmdb
# Event services: links that will be provided on events to link to additonal
# services.
event-services:
# Custom service to link the rule in Scirius.
- type: custom
enabled: false
name: Scirius
# Only make available for alert types.
event-types:
- alert
# URL template. All eve values can be used.
url: https://10.16.1.179/rules/rule/{{alert.signature_id}}
# Custom service to link to Dumpy for full packet capture.
#
# This one has no event-types meaning its available for all event types.
- type: custom
enabled: false
name: Dumpy
# The URL template, {{raw}} expands to the raw eve event as a JSON
# string which is then url encoded.
url: http://10.16.1.1:7000/?event={{raw}}
# Open in new window. The default is the same window.
target: new