forked from jasonish/evebox
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathevebox.yaml.example
192 lines (149 loc) · 5.45 KB
/
evebox.yaml.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
# EveBox Server configuration file.
# Path to the data directory. This directory holds data for EveBox
# such as the configuration/user/authentication database, and SQLite
# database files if the sqlite database is being used. It needs to be
# writable by the user EveBox is running as. If not set it will
# default to the current directory.
#data-directory: /var/lib/evebox
http:
tls:
# Enable or disable TLS.
# env: EVEBOX_TLS_ENABLED
enabled: false
# Path to certificate PEM file.
# env: EVEBOX_TLS_CERT
#certificate: /path/to/cert.pem
# Path to key PEM file.
# env: EVEBOX_TLS_KEY
#key: /path/to/key.pem
# If behind a reverse proxy set to true so the proper IP address of
# clients can be logged.
# Default: false
# env: EVEBOX_HTTP_REVERSE_PROXY
#reverse-proxy: true
# Enable HTTP request logging. This can be very verbose.
# Default: false
# env: EVEBOX_HTTP_REQUEST_LOGGING
#request-logging: true
# Database configuration.
database:
# Database type: elasticsearch, sqlite.
type: postgresql
elasticsearch:
url: http://10.16.1.10:9200
index: logstash
disable-certificate-check: false
# The keyword to use for terms query. EveBox will do its best to
# figure this out on its own, but if you need to override it, you
# can do so here. The usual values are:
# raw -> Logstash / Elastic Search < 5.
# keyword -> Logstash / Elastic Search >= 5.
# "" -> Filebeat / Elastic Search >= 5.
# Note that a quoted empty string is required to force an empty string.
#keyword: ""
#username: username
#password: password
# For loading the EveBox template (Logstash compatible) into
# Elasticsearch. It is recommended to turn this option on if only
# using EveBox to add events to Elasticsearch. Leave disabled if
# already using Logstash or Filebeat on the same index.
#
# Default: false
#force-template: false
postgresql:
# If managed, EveBox will manage its own PostgreSQL instance using
# PostgreSQL found on the path.
managed: true
# If not managed...
# PostgreSQL hostname (default: localhost; env: PGHOST)
#host:
# PostgreSQL port (default: 5432; env: PGPORT)
#port:
# Database name (default: eveobox; env: PGDATABASE)
#database:
# Database user (default: evebox; env: PGUSER)
#user:
# Password (default: ""; env: PGPASSWORD)
#password:
# Retention period in days. 0 or comment out to disable.
# Currently only applies to SQLite, not Elastic Search.
#retention-period: 3
authentication:
# Default: false
# env: EVEBOX_AUTHENTICATION_REQUIRED
required: no
# Type of login required:
# - username -- just a username...
# - usernamepassword -- username and password
# env: EVEBOX_AUTHENTICATION_TYPE
type: usernamepassword
# A little message that is displayed in the login dialog.
#login-message: Some message here...
# GitHub Oauth2 authentication. More of a proof of concept for Oauth
# in EveBox. Configuration will likely move into the UI at some
# point.
#
# Users must still be added with the EveBox config tool.
github:
enabled: no
# GitHub Client ID
# env: GITHUB_CLIENT_ID
client-id: GITHUB_CLIENT_ID
# GitHub Client Secret
# env: GITHUB_CLIENT_SECRET
client-secret: GITHUB_CLIENT_SECRET
# Callback URL. The EveBox portion of the callback URL is:
# /auth/github/callback
callback: http://localhost:5636/auth/github/callback
# The server can process a log file, eliminating the need for a
# separate agent process if on the same machine.
input:
# Toggle to disable the input without commenting it out.
enabled: false
# Filename to read.
filename: "/var/log/suricata/eve.json"
# Bookmark directory, as with the agent if the server can't write to
# the directory where the above log file is, you need to provide
# this.
#bookmark-directory: /var/lib/evebox
# Custom fields to add to the event. Only top level fields can be set,
# and only simple values (string, integer) can be set.
custom-fields:
# Set a host field. This will override the "host" field set by
# Suricata if the Suricata "sensor-name" option is set.
#host: "evebox-server"
# The event reader can add rules to events.
rules:
- /etc/suricata/rules/*.rules
geoip:
disabled: false
# Path to the MaxMind database. This must be the version 2 database
# (http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz)
# File must be ungzipped.
#
# This is temporary, EveBox will eventually support downloading and
# updateing the geo database itself.
database: /etc/evebox/GeoLite2-City.mmdb
# Event services: links that will be provided on events to link to additonal
# services.
event-services:
# Custom service to link the rule in Scirius.
- type: custom
enabled: false
name: Scirius
# Only make available for alert types.
event-types:
- alert
# URL template. All eve values can be used.
url: https://10.16.1.179/rules/rule/{{alert.signature_id}}
# Custom service to link to Dumpy for full packet capture.
#
# This one has no event-types meaning its available for all event types.
- type: custom
enabled: false
name: Dumpy
# The URL template, {{raw}} expands to the raw eve event as a JSON
# string which is then url encoded.
url: http://10.16.1.1:7000/?event={{raw}}
# Open in new window. The default is the same window.
target: new