Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EveBox on Security Onion ( Docker) #189

Closed
nimaforoughi opened this issue Jan 6, 2022 · 11 comments
Closed

EveBox on Security Onion ( Docker) #189

nimaforoughi opened this issue Jan 6, 2022 · 11 comments
Labels
support

Comments

@nimaforoughi
Copy link

I am running a security onion 2.3.91 vm and it is a secured one on dockers.
How can I integrate or add the evebox to the existing elasticsearch?
@jasonish
Copy link
Owner

jasonish commented Jan 6, 2022

I'm not familar enough with Security Onion to really say. But essentially find the hostname where Elasticsearch answers on port 9200 and point EveBox there..

evebox server -e http://localhost:9200

if its an https URL, you might have to add -k to ignore the self-signed certification validation error.

If it requires a username and password you'll have to create a small configuration file:

database:
  type: elasticsearch
  url: https://localhost:9200
  username: elasticusername
  password: elasticpassword

hopefull that gets you a start.

@nimaforoughi
Copy link
Author

I made a config file as test.yaml:
database:
type: elasticsearch
url: https://192.168.0.80:9200
username: ********
password: ********

docker swarm init
docker swarm join --token SWMTKN-1-2n99yejsu5m3m76d52dohvr142d9ck0mupuloeub25fp2gnakg-24b7rrtgzgbkg9qdvrct3orfc 192.168.0.80:2377
docker config create test test.yaml
docker config ls
docker service create --name evebox --config test jasonish/evebox:latest

[root@securityonion evebox-0.14.0]# docker service create --name evebox --config test jasonish/evebox:latest
q4f0z1cq4f4iz6vi8ygaj87c1
overall progress: 0 out of 1 tasks
1/1: ready [======================================> ]
verify: Detected task failure

It is stuck here and nothing happens.

@jasonish
Copy link
Owner

jasonish commented Jan 7, 2022

Can you get the evebox output? It should display why it can't connect to Elastic.

@jasonish
Copy link
Owner

jasonish commented Jan 7, 2022

Also see #148. You'll likely need to use a host name in the url, not an IP address of the cert is self signed.

@jasonish
Copy link
Owner

jasonish commented Jan 7, 2022

I did manage to connect EveBox to Elasticsearch on Security Onion but its still not usable. EveBox supports Suricata events added to Elasticsearch with Logstash, Filebeat, and Filebeat with the Suricata modules which uses Elastic Common Schema (ECS), none of which match the schema that Security Onion uses.

@nimaforoughi
Copy link
Author

Thank you for putting time. At least I know at the moment there is no way and wont put much more time on it.
Hoping to support in future versions

@nimaforoughi
Copy link
Author

Anyways, Can you please share the config file and the commands you used for the connection?

@jasonish
Copy link
Owner

jasonish commented Jan 8, 2022

Anyways, Can you please share the config file and the commands you used for the connection?

My configuration file is:

database:
  type: elasticsearch
  elasticsearch:
    username: username@domain.com
    password: password

And my Docker command was...

docker run -v $(pwd)/evebox.yaml:/etc/evebox/evebox.yaml --rm -it --net=host jasonish/evebox:master -k -e https://localhost:9200 -c /etc/evebox/evebox.yaml --ecs -i securityonion -v

On startup you should see something like:

2022-01-08 05:45:10  INFO evebox::version: This is EveBox version 0.15.0-dev (rev: 3cd98b7); x86_64-unknown-linux-musl
2022-01-08 05:45:10 DEBUG evebox::server::main: Certificate checks disabled: true
2022-01-08 05:45:11  INFO evebox::server::main: Found Elasticsearch version 7.16.2 at https://localhost:9200
2022-01-08 05:45:11 DEBUG evebox::server::main: Elasticsearch base index: securityonion
2022-01-08 05:45:11 DEBUG evebox::server::main: Elasticsearch search index pattern: securityonion-*
2022-01-08 05:45:11 DEBUG evebox::server::main: Elasticsearch ECS mode: true
2022-01-08 05:45:11  INFO evebox::server::main: Using temporary in-memory configuration database
2022-01-08 05:45:11  INFO refinery_core::traits: schema history table is empty, going to apply all migrations    
2022-01-08 05:45:11  INFO refinery_core::traits::sync: applying migration: V1__Initial    
2022-01-08 05:45:11  INFO evebox::server::main: Starting server on 0.0.0.0:5636, tls=false

I used my master branch as it has some fixes for ECS. but that does't match with SO's idea of ECS at the moment.

@MANN0M1
Copy link

MANN0M1 commented Jan 13, 2022

Is there a way to install Evebox on the Raspberry Pi 4, Aarch64?

@jasonish
Copy link
Owner

Yes, there are arm64/aarch64 binaries in the download directories. The Docker containers will also work on arm64.

@jasonish
Copy link
Owner

Closing. New issue for Security Onion schema support is at #190.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jasonish @nimaforoughi @MANN0M1