New events not showing in Evebox now

[domiflichi]

I had Evebox running great last week (I recently set up a test Suricata/Evebox machine).
However, today it's not showing new events. Last week I was monitoring the Alert-Events page from a browser on my own workstation over the network and would just hit the 'Refresh' button every once in a while to keep an eye on things and it would properly Refresh and show me things from a 'few seconds ago'. However, when I booted my workstation this morning, and opened a tab to look at Evebox, it's not showing "current" events/alerts - the newest thing that it's showing is from 3 days ago (Friday). I've tried clicking all over the place on the Evebox page, but can't get it to show any events newer than 3 days ago. I know events are coming in because I can 'tail' the 'eve.json' and the 'fast.log' file and I see stuff constantly coming in.
It must be something that I'm doing wrong, or some setting somewhere, but can't figure it out.

[jasonish]

How and where are you getting events into the database? Can you add -vvv, you should then get per second stats as to how many events are being added per second, if using standalone mode. If using Elatsicsearch you might need to use Kibana or something to confirm that events are really making it to the database.

[domiflichi]

I'm not sure how I'm getting events into the database - I'm brand new to Suricata/Evebox...is there something I can check?
I'm still starting evebox manually by running the following command:

evebox server -D /var/lib/evebox --datastore sqlite --input /var/log/suricata/eve.json --host 10
.10.10.27

I'm not using Elasticsearch/Kibana/ELK or anything like that.

I started Evebox and added the '-vvv' as you described, so the following was the actual command:

evebox server -vvv -D /var/lib/evebox --datastore sqlite --input /var/log/suricata/eve.json --host 10
.10.10.27

And this was the output after a few seconds:

2022-08-22 09:17:31  INFO evebox::version: This is EveBox version 0.15.0 (rev: deca6c6); x86_64-unknown-linux-musl
2022-08-22 09:17:31 DEBUG evebox::server::main: Certificate checks disabled: false
2022-08-22 09:17:31 DEBUG evebox::sqlite: Result of setting database to WAL mode: Ok("wal")
2022-08-22 09:17:31 DEBUG evebox::sqlite: Result of setting database to WAL mode: Ok("wal")
2022-08-22 09:17:31  INFO refinery_core::traits: current version: 3
2022-08-22 09:17:31  INFO refinery_core::traits::sync: no migrations to apply
2022-08-22 09:17:31 DEBUG evebox::sqlite: set journal mode to WAL
2022-08-22 09:17:31  INFO evebox::sqlite: Result of setting database to WAL mode: Err(QueryReturnedNoRows)
2022-08-22 09:17:31 DEBUG evebox::sqlite: Result of setting database to WAL mode: Ok("wal")
2022-08-22 09:17:31 DEBUG evebox::sqlite: Result of setting database to WAL mode: Ok("wal")
2022-08-22 09:17:31  INFO evebox::server::main: Configuration database filename: "/var/lib/evebox/config.sqlite"
2022-08-22 09:17:31 DEBUG evebox::sqlite: Result of setting database to WAL mode: Ok("wal")
2022-08-22 09:17:31  INFO refinery_core::traits: current version: 1
2022-08-22 09:17:31  INFO refinery_core::traits::sync: no migrations to apply
2022-08-22 09:17:31 DEBUG evebox::server::main: Checking "/var/lib/evebox/b264daf6271f51125d20d5a7715e8947.bookmark" for writability
2022-08-22 09:17:31 ERROR evebox::server::main: "/var/lib/evebox/b264daf6271f51125d20d5a7715e8947.bookmark" not writable: Permission denied (os error 13)
2022-08-22 09:17:31  INFO evebox::server::main: Using bookmark filename Some("/home/jamie/b264daf6271f51125d20d5a7715e8947.bookmark") for input "/var/log/suricata/eve.json"
2022-08-22 09:17:31  INFO evebox::server::main: Starting reader for /var/log/suricata/eve.json
2022-08-22 09:17:31  INFO evebox::server::main: Starting server on 10.10.10.27:5636, tls=false
2022-08-22 09:17:31  INFO evebox::eve::processor: Valid bookmark found, jumping to record: 1913388
2022-08-22 09:17:34 DEBUG evebox::sqlite::importer: Commiting 100 events
2022-08-22 09:17:38 TRACE evebox::bookmark: Writing bookmark /home/jamie/b264daf6271f51125d20d5a7715e8947.bookmark
2022-08-22 09:17:38 DEBUG evebox::sqlite::importer: Commiting 100 events
2022-08-22 09:17:38 TRACE evebox::bookmark: Writing bookmark /home/jamie/b264daf6271f51125d20d5a7715e8947.bookmark
2022-08-22 09:17:38 DEBUG evebox::sqlite::importer: Commiting 100 events
2022-08-22 09:17:38 TRACE evebox::bookmark: Writing bookmark /home/jamie/b264daf6271f51125d20d5a7715e8947.bookmark
2022-08-22 09:17:38 DEBUG evebox::sqlite::importer: Commiting 100 events
2022-08-22 09:17:41 TRACE evebox::bookmark: Writing bookmark /home/jamie/b264daf6271f51125d20d5a7715e8947.bookmark
2022-08-22 09:17:41 DEBUG evebox::sqlite::importer: Commiting 100 events
2022-08-22 09:17:41 TRACE evebox::bookmark: Writing bookmark /home/jamie/b264daf6271f51125d20d5a7715e8947.bookmark
2022-08-22 09:17:41 DEBUG evebox::sqlite::importer: Commiting 100 events
2022-08-22 09:17:41 TRACE evebox::bookmark: Writing bookmark /home/jamie/b264daf6271f51125d20d5a7715e8947.bookmark
2022-08-22 09:17:41 DEBUG evebox::sqlite::importer: Commiting 100 events
2022-08-22 09:17:45 TRACE evebox::bookmark: Writing bookmark /home/jamie/b264daf6271f51125d20d5a7715e8947.bookmark
2022-08-22 09:17:45 DEBUG evebox::sqlite::importer: Commiting 100 events
2022-08-22 09:17:45 TRACE evebox::bookmark: Writing bookmark /home/jamie/b264daf6271f51125d20d5a7715e8947.bookmark
2022-08-22 09:17:45 DEBUG evebox::sqlite::importer: Commiting 100 events
2022-08-22 09:17:45 TRACE evebox::bookmark: Writing bookmark /home/jamie/b264daf6271f51125d20d5a7715e8947.bookmark
2022-08-22 09:17:45 DEBUG evebox::sqlite::importer: Commiting 100 events
2022-08-22 09:17:45 TRACE evebox::bookmark: Writing bookmark /home/jamie/b264daf6271f51125d20d5a7715e8947.bookmark
2022-08-22 09:17:45 DEBUG evebox::sqlite::importer: Commiting 100 events

[jasonish]

An no events when click on the "Events" tab that shows all events? At the very least there should be a bunch of flow events, probably DNS as well.

[domiflichi]

No new events, no. I can see all kinds and types of events from '3 days ago', but nothing newer. Here's a screenshot (which I have Event Type set to 'All'):
https://postimg.cc/yJLWVkQg

[domiflichi]

OK, this is really strange, but I just got to work this morning, and I hit my browser's refresh button (which I tried many times yesterday), and now Evebox is showing current events/alerts! That is so weird!

Any idea why this would happen?

And thank you for all your help, and thank you for creating this awesome project.

[jasonish]

Almost sounds like a failure in the web ui part, tho I think I catch most of those errors and display an error message. Anyways, the "stable" release is getting a little old, lots of little fixes in the latest development branch which I plan to release soon, just needs some testing with the latest Elasticsearch.