Assuming you already have an existing working Suricata, Elastic Search, Logstash and Kibana stack working, then EveBox should just work if pointed at your Elastic Search server.
Example:
evebox -v -e http://elasticsearch:9200This assumes the use of the default Logstash index logstash-{YYYY.MM.DD}. If another index name is being used it must be specified with the -i option:
evebox -v -e http://elasticsearch:9200 -i indexprefixIf you do not have an existing ELK stack, but are able to provide Elastic Search, EveBox can ship the events to Elastic Search itself.
Example usage:
evebox -v -e http://elasticsearch:9200 --input /var/log/suricata/eve.jsonNote
If you do not wish to run EveBox on the same machine as Suricata you can use the agent to ship alerts to the EveBox server.
If installing Elastic Search is not an option the embedded SQLite database can be used instead:
evebox -v -D . --datastore sqlite --input /var/log/suricata/eve.jsonNote
Note the -D parameter that tells EveBox where to store data files such as the file for the SQLite database. While using the current directory, or a temp directory is OK for testing, you may want to use something like /var/lib/evebox for long term use.