0.8.0

0.8.0 - 2017-06-30

Added

• The agent, and the server when reading logs can now add the rule to
  the event by providing the locatin of the rule files in the
  configuration.
• Add option to esimport to add rule to event.
• If an event has a "rule" object it will now be displayed in the
  event details.
• Initial support for PostgreSQL. Like SQLite this does not yet
  support reporting.
• Event history recording. A timestamp and username will be recorded
  when an alert is archived, escalated or de-escalated.
• Support for commenting on events (Elastic Search only)
  (#36).
• Specific support for displaying the HTTP response body if available
  in Eve entries. Requires Suricata 4.0.0-rc1 or newer
  (#40)

Fixed

• Fix an issue where alerts may not be archived if their @timestamp
  and timestamp fields were out of sync -
  #48.
• A usability issue where the alert view would be reset to 100 items
  after arching event, if previously set to "all" -
  #49.
• Elastic Search mapping errors on flow and netflow reports -
  #39

Full Changelog

0.7.0 - Authentication and TLS

0.7.0 - 2017-04-22

Added

• Optional authentication. Authentication can now be enabled with
  simple usernames and passwords. GitHub can also be used for
  authentication using Oauth2, however, the user must first be created
  in EveBox.
• New command, evebox config users, to create users.
• Create and use a "configdb". This is a database separate from event
  databases for storing data such as users. Will contain more
  configuration data in the future.
• TLS support. The server can be provided with a certificate and key
  to enable TLS. The "gencert" subcommand has been added to help
  generate self signed certificates. Or, if the server is publically
  accessible, Letsencrypt can be used.

Breaking Changes

• RPM and Debian package installs started with systemd now run as the
  user evebox. This really only matters if using an SQLite database,
  and the database file will need to have its permissions updated so
  the evebox user will have read and write access to it.
• All binary builds are now linked with SQLite as SQLite is used for
  the configuration database. This really only matters when trying to
  cross compile EveBox, which may or may not work going forward.

Full Changelog

0.6.1

• Upgrade to Angular 4 and Angular CLI 1.0 and use its AOT compilation
  feature reducing the Javascript size even further. Combined with
  response compression, initial data loaded by the browser is about
  7-8x less.
• Compress HTTP responses speeding up initial load times.
• New "oneshot" mode - a mode where EveBox directly reads in an
  eve.log file into an SQLite database for one time viewing, then
  cleans up after itself.
• The EveBox server can now process an eve file without an agent
  (basically an embedded agent), storing the events in Elastic Search
  or SQLite
• When using Elastic Search 5.2+, use the update_by_query API to
  archive and escalate events. This should speed up archiving.
• Fix Elastic Search keyword handling when Filebeat is used to send
  eve logs directly to Elastic Search.
• Reports:
  • In addition to the event views, there are now some report views.
• EveBox Agent:
  • The EveBox agent is a replacement for Filebeat and/or Logstash. It
    can read Suricata eve log files sending them to the EveBox server
    which will then store them to the configured data store (Elastic
    Search or SQLite).
• SQLite Support:
  • SQLite can now be used as a backend. This is suitable for smaller
    installations where event load is light.
  • Reports are currently not supported with SQLite.
• If the agent is being used to submit events and the datastore is
  Elastic Search, create a template if one doesn't already index for
  the configured index. For Elastic Search 2.x and Logstash 2 template
  is used, for Elastic Search 5.x and Logstash 5 template is used.
• A start on some documentation:
  http://evebox.readthedocs.io/en/latest/index.html

Full commit log.

Download at https://evebox.org/.

EveBox 0.5.0

EveBox 0.5.0 now provides its own backend. This is to help make deployment easier, as well as work better with the CORS configuration in a default install of Elastic Search.

Just tagging a release prior to flipping development to master.

This is just a tag of the current work done on master since 0.3.0 as I'm about to flip in a bit of a rethinking into the master branch.

For this release, just download one of the source code packages below and serve up the "app" directory.

EveBox v0.3.0

Depends on Elastic Search 1.3.0+.

• Use Groovy for Elastic Search scripting. Works with the default configuration now (no need to enable dynamic scripting).
• Use the new top hits aggregation in ES 1.3 to limit the number of trips to the ES to build an aggregate view.
• Display packet and payload data now available in Suricata eve logs (Only in Suricata git builds as of now).

EveBox 0.2.0

• Aggregations.
• First step at viewing non alert events.

EveBox 0.1.0 - Initial Release

Initial commit of EveBox.