Skip to content
Web Based Event Viewer (GUI) for Suricata EVE Events in Elastic Search
Go TypeScript HTML Shell Makefile CSS Other
Branch: master
Clone or download

Latest commit

nicksherron and jasonish evebox.yaml.example: miss-spelled database name
postgres default database name was spelled eveobox instead of evebox

Signed-off-by: nicksherron <>
Latest commit a23bd61 Apr 3, 2020


Type Name Latest commit message Commit time
Failed to load latest commit information.
.github/workflows github-ci: better job naming Apr 17, 2020
agent gofmt Nov 13, 2018
appcontext Remove GitHub authentication - was broken. Mar 21, 2020
cmd esimport: re-enable for Elasticsearch 6 Jun 1, 2020
core Remove GitHub authentication - was broken. Mar 21, 2020
deb deb: default to /etc/evebox/evebox.yaml Apr 22, 2017
doc rules: remove adding rules to alerts Apr 20, 2020
docker Update Node and Go used for building Mar 20, 2020
elasticsearch Revert "elasticsearch: remove doc type" May 22, 2020
eve eve: fix unit tests Jun 14, 2017
evereader Make per minte eve file read stats debug. Nov 27, 2019
exiter postgres: basic support (no reporting) Jun 14, 2017
geoip oneshot: percentage progress while loading Mar 19, 2017
httpclient breakout the httpclient into its own package Feb 5, 2018
log postgres: basic support (no reporting) Jun 14, 2017
pcap more go reorg into packages Nov 2, 2016
postgres code cleanups: consolidate duplicated code... Feb 14, 2018
resources elasticsearch: fixes for version 7 Jul 4, 2019
rpm deb,rpm: use /var/lib/evebox by default Apr 17, 2017
server es: remove special handling for ip data type Mar 26, 2020
sqlite Remove GitHub authentication - was broken. Mar 21, 2020
useragent useragent: parser useragent on all events Mar 7, 2017
util gofmt Nov 13, 2018
vagrant/freebsd FreeBSD vagrant image for testing FreeBSD builds. Jan 5, 2018
webapp webapp/flow-report: fix histogram units May 13, 2020
.dockerignore build: use gitlab-ci to build all releases Jan 14, 2019
.gitignore cleanup docker images and Dec 19, 2018
.gitlab-ci.yml gitlab-ci: attempt to simplify a bit Dec 12, 2019 elasticsearch: require 7.4 or newer May 22, 2020
Dockerfile docker: update go to 1.13 Nov 22, 2019
LICENSE.txt frontend: port to angular 2 Jul 6, 2016
Makefile debian: fix file permissions Apr 16, 2020 elasticsearch: require version 7.7.0 or greater May 15, 2020
agent.yaml.example rules: remove adding rules to alerts Apr 20, 2020 Enable race detection in dev mode. Mar 20, 2020 remove bashism Apr 11, 2020
evebox.yaml.example evebox.yaml.example: miss-spelled database name Jun 2, 2020
go.mod go.mod/go.sum: go wants to update some deps Apr 17, 2020
go.sum go.mod/go.sum: go wants to update some deps Apr 17, 2020 dev tool for starting/stopping postgres Nov 22, 2016

EveBox Documentation Status Build Status

EveBox is a web based Suricata "eve" event viewer for Elastic Search.



  • A web based event viewer with an "Inbox" approach to alert management.
  • Event search.
  • An agent for sending Suricata events to the EveBox server (but you can use Filebeat/Logstash instead).
  • Embedded SQLite for self-contained installations.


  • Suricata - to generate alerts and events.

And one of...

  • An existing ElasticSearch/Logstash (version 7.7 or greater) setup already handling Suricata events (EveBox has issues with Filebeat indices at this time). For older versions of Elasticsearch continue to use EveBox 0.11.x.
  • Just Elastic Search, using EveBox or the EveBox agent to add events.
  • Nothing - EveBox can use an embedded SQLite database suitable for lower load installations (note: not all features supported yet).
  • A modern web browser.


Download a package and run the evebox application against your existing Elastic Search server.


./evebox server -e http://localhost:9200

Then visit http://localhost:5636 with your browser.

The latest release builds can be found at

The latest development builds (from git master) can be found at

A RPM and Debian package repository are also available.


EveBox is also included in SELKS which provides Suricata and an ELK stack configured and ready to go.


If you wish to install EveBox with Docker an up to date image is hosted on Docker hub.


docker pull jasonish/evebox:latest
docker run -it -p 5636:5636 jasonish/evebox:latest -e http://elasticsearch:9200

replacing your http://elasticsearch:9200 with that of your Elastic Search URL. You most likely do not want to use localhost here as that will be the localhost of the container, not of the host.

OR if you want to link to an already running Elastic Search container:

docker run -it -p 5636:5636 --link elasticsearch jasonish/evebox:latest

Then visit http://localhost:5636 with your browser.

This should not require any modification to your Elastic Search configuration. Unlike previous versions of Evebox, you do not need to enable dynamic scripting and CORS.


EveBox runs as a server exposing a web interface on port 5636 by default.

With an Existing Elastic Search Server With Events

The basic mode where eve events are being sent to Elastic Search with Logstash and or Filebeat.

evebox server -e http://elasticsearch:9200

With the Embedded SQLite Database

This is useful if you don't have Elastic Search and running EveBox on the same machine as Suricata. It uses an embedded SQLite database for events and is suitable for ligher loads. Currently SQLite does not support reporting.

evebox server --datastore sqlite --input /var/log/suricata/eve.json

More documentation can be found at

Building EveBox

EveBox consists of a JavaScript frontend, and a very minimal backend written in Go. To build Evebox the following requirements must first be satisfied:

  • Node.js v12.16.1 or newer installed.
  • Go 1.14.1 or new installed.

First checkout EveBox. As EveBox uses Go 1.11 modules, do not check it out into your GOPATH.

For example:

git clone ~/projects/evebox

If this is the first build the npm and Go dependencies must be installed, this can be done with:

make install-deps

install-deps will also upgrade any dependencies, so its a good idea to re-run after git pulls.

Then to build the binary:


Or to build a release package:

make dist

If you don't want to bother with the required development tools, but do have Docker installed, you can build a release with the following command:

./ release

Run in Development Mode

./ -e http://elasticsearch:9200

to run in development mode using an Elastic Search datastore at http://elasticsearch:9200.

The connect your browser to http://localhost:4200. Note this port is different than the EveBox port, as the Angular CLI/Webpack development server is used to serve up the web application with backend requests being proxied to the Go application.

In development mode changes to Go files will trigger a recompile/restart, and changes to the web app will trigger a recompile of the javascript and a browser refresh.

A Note on Authentication

While the latest development versions of EveBox support authentication, TLS support is not included. Therefore it is advised to run EveBox behind a reverse proxy that terminals TLS/SSL.

Change Log

See .



You can’t perform that action at this time.