Running
=======
Using an Existing ELK Stack
---------------------------
Assuming you already have an existing working Suricata, Elastic
Search, Logstash and Kibana stack working, then EveBox should just
work if pointed at your Elastic Search server.
Example::
evebox server -v -e http://elasticsearch:9200
This assumes the use of the default Logstash index
logstash-{YYYY.MM.DD}. If another index name is being used it must be
specified with the ``-i`` option::
evebox server -v -e http://elasticsearch:9200 -i indexprefix
Consuming Events and Using Elastic Search
-----------------------------------------
If you do not have an existing ELK stack, but are able to provide
Elastic Search, EveBox can ship the events to Elastic Search itself.
Example usage::
evebox server -v -e http://elasticsearch:9200 --input /var/log/suricata/eve.json
.. note:: If you do not wish to run EveBox on the same machine as
Suricata you can use the :doc:`agent` to ship alerts to the
EveBox server.
Using the Embedded SQLite Database
----------------------------------
If installing Elastic Search is not an option the embedded SQLite
database can be used instead::
evebox server -v -D . --datastore sqlite --input /var/log/suricata/eve.json
.. note:: Note the -D parameter that tells EveBox where to store data
files such as the file for the SQLite database. While using
the current directory, or a temp directory is OK for
testing, you may want to use something like /var/lib/evebox
for long term use.