0.13.0

0.13.0 - 2021-03-18

Fixes

• Flow report fixes.
• Netflow report fixes.
• Capitalization of app_proto's in web.
• When converting a packet to pcap, use the linktype from the packet info if
  available. If not available use ethernet. Fixes the case where the packet is
  from nfqueue, where its DLT_RAW.
• Unfocus time range selector after a new range is selected allowing keyboard
  shortcuts to work again without having to click somewhere in the page.
• Fix issue where the input section in the configuration file was
  being used even if enabled was set to false. This only happened when
  using a configuration file with an input section:
  #159

Changes

• Server: Allow wildcard in input filename to allow the usage of threaded eve
  output. For example: /var/log/suricata/eve.*.json.
• Agent: Allow multiple input paths to be specified.
• New keyboard shortcut, '\' to open time range selector.

Features

• New DHCP report that attempts to give you a picture of the devices that have
  been assigned an IP(v4) address over the requested period of time.

0.12.0

0.12.0 - 2020-09-25

Changes

• Server rewritten in Rust. Ideally this should not be noticed.
• Stop tagging events with "archived" and "escalated", and only use
  "evebox.archived" and "evebox.escalated". This should not be noticed
  as EveBox has been using both tags for a very long.
• The Docker image is now based on Alpine Linux. Scratch could be
  used, but it would break compatibility with previous images.
• Agent: The baheaviour of using the log filename suffixed with ".bookmark
  has been removed. The agent will prefer to use the configured bookmark
  directory (aka data-directory) instead, or if not set, the current
  directory where EveBox is being run from. However, if these deprecated
  bookmark filenames exist (like after an upgrade), they will continue
  to be used.
• The command "esimport" has been renamed to "elastic-import".

Fixes

• Fix the index_pattern when adding a template to Elasticsearch with a
  non logstash index.
• Fix disabling of certificate checks for connecting to an Elasticsearch
  server with a self-signed certificate.
  #144

Breaking Changes

• License: AGPL
• LetsEncrypt support has been removed.

Known Issues

• When using a self-signed certificate, the hostname being connected
  to must match the hostname in the certificate.

0.11.1

0.11.1 - 2020-03-31

• Fix file permissions in RPM and Debian
  packaging. #128

0.11.0 - 2020-03-26

0.11.0 - 2020-03-26

Download at https://evebox.org/.

Enhancements

• Handle Filebeat overriding the "host" field with its own object by
  normalizing the sensor name before rendering. If Filebeat is used,
  the Suricata provided sensor name is lost, so use the Filebeat
  provided host.name
  instead. #100
• Allow esimport to read from multiple eve files. If bookmarking is
  used, --bookmark-dir must be used instead of
  --bookmark-filename. #98
• Support Elastic
  Search 7. #112
• Reduce the amount of per minute logs by moving some message to debug
  (verbose) mode. #116

Fixes

• Show event services on first click through to event, rather than having
  to refresh to see them.
  Issue: #109
• Fix sensor name display when event is clicked on in inbox or alert
  view. #104

Breaking Changes

• esimport now uses a default index of logstash instead of
  evebox to match common usage.
• The evebox application now requires a command name. It will not
  fallback to the server command anymore.
• The EveBox server will now bind to localhost by default instead of
  being open. Use the --host command line option to accept connections
  more openly. #110
• GitHub authentication has been removed. Looks like its been broken for
  a little while now.

Known Issues

• Filebeat: The basic views work with Filebeat indices but searching
  does not. This is due to Filebeat indexing fields as keywords which
  complicates "free text" searching. This will probably not be fixed,
  but instead focus will be on supporting Elastic Search ECS (or more
  simply the Suricata plugin for filebeat) -
  #97

Deprecations

• LetsEncrypt support: This is better done by a reverse proxy where
  LetsEncrypt support is more of a design goal.
• Plain Filebeat indices will likely be deprecated due to issues with
  searching.

Full Changelog

0.10.2

0.10.2 - 2019-01-30

Fixed

• If EveBox is installing the Elastic Search template, re-configure
  after installation to figure out the keyword suffix instead of
  requiring EveBox to be
  restarted. #85
• Update the Brace Javascript dependency. Fixes issue loading event
  view. #91
• In agg reports use default min_doc_count of 1 instead of 0. Prevents
  values from showing in the report that have 0 hits, when the number
  of results in less than the number of results requested. Affects:
  Elastic Search. #99
• Remove top rrdata from DNS report as its not really valid with DNS
  v2 alerts. Best to remove it until an alternate metric can be used
  to report on DNS responses. Closes
  #72.
• Fixed pager button on "Events"
  view. #92
• Fix issue with drop down event type selector on events view page
  where choosing an event type was taking users back to the index.
• Fix pcap downloads when authentication is on. This requires setting
  a cookie as this isn't an XHR/REST style request.
  #90
• Fix doc on adding a
  user. #89

Full Changelog

0.10.1

0.10.1 - 2018-12-20

• Fix issue when behind a path on a reverse
  proxy. #84

Full Changelog

0.10.0

0.10.0 - 2018-12-19

• Update to Angular 7.
• Migrate to Go 1.11 module support. This requires Go 1.11, but no
  longer requires building in the GOPATH.
• Event rendering fixes.
• Allow Elastic Search index prefix and template name to be
  different. #83

Full Changelog

0.9.1

0.9.1 - 2018-05-29

• Better Elastic Search version support, including Elastic Search 6.
• Fix rule highlight (including making reference URLs links).
• Various event view cleanups.
• [Agent] The agent will now add the rule to the alert object, the same location
  as Suricata.
• [Elastic Search] If no keyword found, use "raw" for those remaining Elastic
  Search 2 templates out there.

Full Changelog

0.9.0

Downloads

• https://evebox.org/files/release/latest/

Fixed

• The inbox will not remember the sort after after archiving or
  escalating event. Indicators of sort order were added, and the sort
  order is now retained after refresh or page
  reload. #61
• [Elastic Search] Per IP report when the src_ip and dest_ip fields
  have been mapped to the IP datatype
  (#56)
• When parsing rules, if parse error was encountered the remaining
  rules would not be parsed. Instead log and continue parsing.
• Various fixes to oneshot where it would stop reading the input file.
• Fix eve reader getting stuck on malformed records
  (#69)
• Various fixes to the SSH report.

Changes

• Upgrade the Bootstrap CSS framework to version 4.
• Include Logstash 6 template for use with Elastic Search 6.
• Convert the SSH histogram graph to bars instead of lines, in
  consideration of doing this for all histogram graphs.

Removed

• Support for Elastic Search versions less than 5.

Full Changelog

0.8.1

0.8.1 - 2017-12-10

Added

• Commenting support for PostgreSQL.
  • With "has:comment" query string support.
  • And "comment:SOME_STRING" for search comments.
• In oneshot mode, continue reading the last file to pickup new events
  (#54).
• Add "Newer" and "Oldest" buttons to the "Events" view.

Fixed

• Fix an issue with updating the "active" row after archiving events.
• Strip trailing slashes in the Elastic Search URL
  (#55).

Changes

• In requests to the backend, rename maxTs, minTs, eventType to
  max_ts, min_ts and event_type.

Other Notes
The MacOS builds on Travis-CI started failing and I have no reasonable way to debug. So MacOS binary packages are no longer being built.