Wednesday, November 23, 2016

HOWTO : EveBox on Almond Croissants and Danish

EveBox is a web based Suricata "eve" event viewer for ElasticSearch. ElasticSearch is installed on Almond Croissants or Danish by default. However, EveBox is not installed by default. You need to install it yourself.

Almond Croissants is an Intrusion Detection and Prevention System while Danish is an Intrusion Detection System. Almond Croissants and Danish are created based on Suricata by Samiux under GPL version 3.

In general speaking, EveBox is for advanced Almond Croissants or Danish users.

Step 1a :

wget https://github.com/jasonish/evebox/releases/download/0.5.0/evebox-0.5.0-linux-amd64.zip
unzip evebox-0.5.0-linux-amd64.zip
sudo cp evebox-0.5.0-linux-amd64/evebox /usr/bin/


OR

Step 1b :

wget https://bintray.com/jasonish/evebox-development/download_file?file_path=evebox-latest-linux-amd64.zip -O evebox-latest-linux-amd64.zip
unzip evebox-latest-linux-amd64.zip
sudo cp evebox-0.6.0dev-linux-amd64/evebox /usr/bin/


Step 2 :

sudo nano /lib/systemd/system/evebox.service

[Unit]
Description=EveBox Web Interface
Wants=network-online.target
After=network-online.target

[Service]
Type=simple
ExecStart=/usr/bin/evebox -e http://localhost:9200
Restart=always

[Install]
WantedBy=multi-user.target


Step 3 :

sudo systemctl enable evebox.service
sudo systemctl start evebox.service


To access it, use your browser to surf :

http://[Almond Croissants IP address]:5636

Update or Upgrade

sudo systemctl stop evebox.service

Repeat Step 1a or 1b.

sudo systemctl start evebox.service

That's all! See you.