0.11.0 - 2020-03-26

0.11.0 - 2020-03-26

Download at https://evebox.org/.

Enhancements

• Handle Filebeat overriding the "host" field with its own object by
  normalizing the sensor name before rendering. If Filebeat is used,
  the Suricata provided sensor name is lost, so use the Filebeat
  provided host.name
  instead. #100
• Allow esimport to read from multiple eve files. If bookmarking is
  used, --bookmark-dir must be used instead of
  --bookmark-filename. #98
• Support Elastic
  Search 7. #112
• Reduce the amount of per minute logs by moving some message to debug
  (verbose) mode. #116

Fixes

• Show event services on first click through to event, rather than having
  to refresh to see them.
  Issue: #109
• Fix sensor name display when event is clicked on in inbox or alert
  view. #104

Breaking Changes

• esimport now uses a default index of logstash instead of
  evebox to match common usage.
• The evebox application now requires a command name. It will not
  fallback to the server command anymore.
• The EveBox server will now bind to localhost by default instead of
  being open. Use the --host command line option to accept connections
  more openly. #110
• GitHub authentication has been removed. Looks like its been broken for
  a little while now.

Known Issues

• Filebeat: The basic views work with Filebeat indices but searching
  does not. This is due to Filebeat indexing fields as keywords which
  complicates "free text" searching. This will probably not be fixed,
  but instead focus will be on supporting Elastic Search ECS (or more
  simply the Suricata plugin for filebeat) -
  #97

Deprecations

• LetsEncrypt support: This is better done by a reverse proxy where
  LetsEncrypt support is more of a design goal.
• Plain Filebeat indices will likely be deprecated due to issues with
  searching.

Full Changelog