Dec 20, 2018
Tag 0.10.1

@jasonish jasonish released this Dec 19, 2018 · 21 commits to master since this release

Assets 2

0.10.0 - 2018-12-19

  • Update to Angular 7.
  • Migrate to Go 1.11 module support. This requires Go 1.11, but no
    longer requires building in the GOPATH.
  • Event rendering fixes.
  • Allow Elastic Search index prefix and template name to be
    different. #83

Full Changelog

@jasonish jasonish released this May 29, 2018 · 57 commits to master since this release

Assets 2

0.9.1 - 2018-05-29

  • Better Elastic Search version support, including Elastic Search 6.
  • Fix rule highlight (including making reference URLs links).
  • Various event view cleanups.
  • [Agent] The agent will now add the rule to the alert object, the same location
    as Suricata.
  • [Elastic Search] If no keyword found, use "raw" for those remaining Elastic
    Search 2 templates out there.

Full Changelog

@jasonish jasonish released this Feb 7, 2018 · 106 commits to master since this release

Assets 2

Downloads

Fixed

  • The inbox will not remember the sort after after archiving or
    escalating event. Indicators of sort order were added, and the sort
    order is now retained after refresh or page
    reload. #61
  • [Elastic Search] Per IP report when the src_ip and dest_ip fields
    have been mapped to the IP datatype
    (#56)
  • When parsing rules, if parse error was encountered the remaining
    rules would not be parsed. Instead log and continue parsing.
  • Various fixes to oneshot where it would stop reading the input file.
  • Fix eve reader getting stuck on malformed records
    (#69)
  • Various fixes to the SSH report.

Changes

  • Upgrade the Bootstrap CSS framework to version 4.
  • Include Logstash 6 template for use with Elastic Search 6.
  • Convert the SSH histogram graph to bars instead of lines, in
    consideration of doing this for all histogram graphs.

Removed

  • Support for Elastic Search versions less than 5.

Full Changelog

@jasonish jasonish released this Dec 10, 2017 · 205 commits to master since this release

Assets 2

0.8.1 - 2017-12-10

Added

  • Commenting support for PostgreSQL.
    • With "has:comment" query string support.
    • And "comment:SOME_STRING" for search comments.
  • In oneshot mode, continue reading the last file to pickup new events
    (#54).
  • Add "Newer" and "Oldest" buttons to the "Events" view.

Fixed

  • Fix an issue with updating the "active" row after archiving events.
  • Strip trailing slashes in the Elastic Search URL
    (#55).

Changes

  • In requests to the backend, rename maxTs, minTs, eventType to
    max_ts, min_ts and event_type.

Other Notes
The MacOS builds on Travis-CI started failing and I have no reasonable way to debug. So MacOS binary packages are no longer being built.

@jasonish jasonish released this Jun 30, 2017 · 236 commits to master since this release

Assets 2

0.8.0 - 2017-06-30

Added

  • The agent, and the server when reading logs can now add the rule to
    the event by providing the locatin of the rule files in the
    configuration.
  • Add option to esimport to add rule to event.
  • If an event has a "rule" object it will now be displayed in the
    event details.
  • Initial support for PostgreSQL. Like SQLite this does not yet
    support reporting.
  • Event history recording. A timestamp and username will be recorded
    when an alert is archived, escalated or de-escalated.
  • Support for commenting on events (Elastic Search only)
    (#36).
  • Specific support for displaying the HTTP response body if available
    in Eve entries. Requires Suricata 4.0.0-rc1 or newer
    (#40)

Fixed

  • Fix an issue where alerts may not be archived if their @timestamp
    and timestamp fields were out of sync -
    #48.
  • A usability issue where the alert view would be reset to 100 items
    after arching event, if previously set to "all" -
    #49.
  • Elastic Search mapping errors on flow and netflow reports -
    #39

Full Changelog

@jasonish jasonish released this Apr 23, 2017 · 288 commits to master since this release

Assets 2

0.7.0 - 2017-04-22

Added

  • Optional authentication. Authentication can now be enabled with
    simple usernames and passwords. GitHub can also be used for
    authentication using Oauth2, however, the user must first be created
    in EveBox.
  • New command, evebox config users, to create users.
  • Create and use a "configdb". This is a database separate from event
    databases for storing data such as users. Will contain more
    configuration data in the future.
  • TLS support. The server can be provided with a certificate and key
    to enable TLS. The "gencert" subcommand has been added to help
    generate self signed certificates. Or, if the server is publically
    accessible, Letsencrypt can be used.

Breaking Changes

  • RPM and Debian package installs started with systemd now run as the
    user evebox. This really only matters if using an SQLite database,
    and the database file will need to have its permissions updated so
    the evebox user will have read and write access to it.
  • All binary builds are now linked with SQLite as SQLite is used for
    the configuration database. This really only matters when trying to
    cross compile EveBox, which may or may not work going forward.

Full Changelog

@jasonish jasonish released this Apr 3, 2017 · 335 commits to master since this release

Assets 2
  • Upgrade to Angular 4 and Angular CLI 1.0 and use its AOT compilation
    feature reducing the Javascript size even further. Combined with
    response compression, initial data loaded by the browser is about
    7-8x less.
  • Compress HTTP responses speeding up initial load times.
  • New "oneshot" mode - a mode where EveBox directly reads in an
    eve.log file into an SQLite database for one time viewing, then
    cleans up after itself.
  • The EveBox server can now process an eve file without an agent
    (basically an embedded agent), storing the events in Elastic Search
    or SQLite
  • When using Elastic Search 5.2+, use the update_by_query API to
    archive and escalate events. This should speed up archiving.
  • Fix Elastic Search keyword handling when Filebeat is used to send
    eve logs directly to Elastic Search.
  • Reports:
    • In addition to the event views, there are now some report views.
  • EveBox Agent:
    • The EveBox agent is a replacement for Filebeat and/or Logstash. It
      can read Suricata eve log files sending them to the EveBox server
      which will then store them to the configured data store (Elastic
      Search or SQLite).
  • SQLite Support:
    • SQLite can now be used as a backend. This is suitable for smaller
      installations where event load is light.
    • Reports are currently not supported with SQLite.
  • If the agent is being used to submit events and the datastore is
    Elastic Search, create a template if one doesn't already index for
    the configured index. For Elastic Search 2.x and Logstash 2 template
    is used, for Elastic Search 5.x and Logstash 5 template is used.
  • A start on some documentation:
    http://evebox.readthedocs.io/en/latest/index.html

Full commit log.

Download at https://evebox.org/.

@jasonish jasonish released this Jun 17, 2016 · 815 commits to master since this release

Assets 8

EveBox 0.5.0 now provides its own backend. This is to help make deployment easier, as well as work better with the CORS configuration in a default install of Elastic Search.

Assets 2

This is just a tag of the current work done on master since 0.3.0 as I'm about to flip in a bit of a rethinking into the master branch.

For this release, just download one of the source code packages below and serve up the "app" directory.