You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Jason Ish cd07b12292 webapp: make inbox link clear query parameters 5 days ago
.github/workflows github-workflow: build docker image 2 weeks ago
agent gofmt 1 year ago
appcontext gofmt 1 year ago
cmd server: bind to localhost by default instead of 2 weeks ago
core gofmt 1 year ago
data webapp: new flow graph 1 year ago
deb deb: default to /etc/evebox/evebox.yaml 2 years ago
doc esimport: use default index of logstash index of evebox 9 months ago
docker docker builder: use go 1.13 1 week ago
elasticsearch server: find-flow: fix finding flow 5 days ago
eve eve: fix unit tests 2 years ago
evereader Make per minte eve file read stats debug. 1 week ago
exiter postgres: basic support (no reporting) 2 years ago
geoip oneshot: percentage progress while loading 2 years ago
httpclient breakout the httpclient into its own package 1 year ago
log postgres: basic support (no reporting) 2 years ago
pcap more go reorg into packages 3 years ago
postgres code cleanups: consolidate duplicated code... 1 year ago
resources elasticsearch: fixes for version 7 5 months ago
rpm deb,rpm: use /var/lib/evebox by default 2 years ago
ruleparser Pull go-idsrules into tree as ruleparser. 2 months ago
rules Pull go-idsrules into tree as ruleparser. 2 months ago
server Log event query time at debug level. 1 week ago
sqlite sqlite: archive event time as debug message, not info 1 week ago
useragent useragent: parser useragent on all events 2 years ago
util gofmt 1 year ago
vagrant/freebsd FreeBSD vagrant image for testing FreeBSD builds. 1 year ago
webapp webapp: make inbox link clear query parameters 5 days ago
.dockerignore build: use gitlab-ci to build all releases 10 months ago
.gitignore cleanup docker images and 11 months ago
.gitlab-ci.yml build: fix macos build 5 months ago
.travis.yml travis-ci: use go 1.13 1 week ago webapp: fix sensor name display 5 days ago
Dockerfile docker: update go to 1.13 2 weeks ago
LICENSE.txt frontend: port to angular 2 3 years ago
Makefile misc: don't install reflex in install-deps 1 week ago readme: minor fixups 10 months ago
agent.yaml.example annotate events with the rule 2 years ago don't use sh -x 1 week ago docker: fix macos build 1 week ago
evebox.yaml.example es: dynamically determine doc type 1 year ago
go.mod misc: don't install reflex in install-deps 1 week ago
go.sum misc: don't install reflex in install-deps 1 week ago dev tool for starting/stopping postgres 3 years ago

EveBox Documentation Status Build Status

EveBox is a web based Suricata “eve” event viewer for Elastic Search.



  • A web based event viewer with an “Inbox” approach to alert management.
  • Event search.
  • An agent for sending Suricata events to the EveBox server (but you can use Filebeat/Logstash instead).
  • Embedded SQLite for self-contained installations.


  • Suricata - to generate alerts and events.

And one of…

  • An existing ELK (version 5 or greater) setup already handling Suricata events.
  • Just Elastic Search as an event store.
  • Nothing - EveBox can use an embedded SQLite database suitable for lower load installations (note: not all features supported yet).
  • A modern web browser.


Download a package and run the evebox application against your existing Elastic Search server.


./evebox -e http://localhost:9200

Then visit http://localhost:5636 with your browser.

The latest release builds can be found at

The latest development builds (from git master) can be found at

A RPM and Debian package repository are also available.


EveBox is also included in SELKS which provides Suricata and an ELK stack configured and ready to go.


If you wish to install EveBox with Docker an up to date image is hosted on Docker hub.


docker pull jasonish/evebox:latest
docker run -it -p 5636:5636 jasonish/evebox -e http://elasticsearch:9200

replacing your http://elasticsearch:9200 with that of your Elastic Search URL. You most likely do not want to use localhost here as that will be the localhost of the container, not of the host.

OR if you want to link to an already running Elastic Search container:

docker run -it -p 5636:5636 --link elasticsearch jasonish/evebox

Then visit http://localhost:5636 with your browser.

This should not require any modification to your Elastic Search configuration. Unlike previous versions of Evebox, you do not need to enable dynamic scripting and CORS.


EveBox runs as a server exposing a web interface on port 5636 by default.

With an Existing Elastic Search Server With Events

The basic mode where eve events are being sent to Elastic Search with Logstash and or Filebeat.

evebox server -e http://elasticsearch:9200

With the Embedded SQLite Database

This is useful if you don’t have Elastic Search and running EveBox on the same machine as Suricata. It uses an embedded SQLite database for events and is suitable for ligher loads. Currently SQLite does not support reporting.

evebox server --datastore sqlite --input /var/log/suricata/eve.json

More documentation can be found at

Building EveBox

EveBox consists of a JavaScript frontend, and a very minimal backend written in Go. To build Evebox the following requirements must first be satisfied:

  • Node.js v10.13.0 or newer installed.
  • Go 1.11.1 or new installed.

First checkout EveBox. As EveBox uses Go 1.11 modules, do not check it out into your GOPATH.

For example:

git clone ~/project/evebox

If this is the first build the npm and Go dependencies must be installed, this can be done with:

make install-deps
to re-run after git pulls.

Then to build the binary:


Or to build a release package:

make dist

If you don't want to bother with the required development tools, but do have
Docker installed, you can build a release with the following command:

./ release

## Run in Development Mode

./ -e http://elasticsearch:9200 ```

to run in development mode using an Elastic Search datastore at http://elasticsearch:9200.

The connect your browser to http://localhost:4200. Note this port is different than the EveBox port, as the Angular CLI/Webpack development server is used to serve up the web application with backend requests being proxied to the Go application.

In development mode changes to Go files will trigger a recompile/restart, and changes to the web app will trigger a recompile of the javascript and a browser refresh.

A Note on Authentication

While the latest development versions of EveBox support authentication, TLS support is not included. Therefore it is advised to run EveBox behind a reverse proxy that terminals TLS/SSL.

Change Log

See .