Empty Evebox and IPS statistic in spite of lots of log entries

Support
1

NethServer Version: 7.9.2009
Module: IPS

I have lots of entries in the IPS logs:

grafik
grafik893×317 102 KB

But IPS statistic is empty:

grafik
grafik912×505 31.4 KB

Also Evebox is empty:

grafik
grafik1099×200 8.44 KB

What could be the cause?

2

Please, check if there are any error inside Evebox log: journalctl -u evebox.
Evebox reads the /var/log/suricata/eve.json. Make sure the file exists and contains the data.

You can even try to cleanup Evebox db as last try:

systemctl stop evebox
rm -f /var/lib/evebox/*
systemctl start evebox
1 Like
3

journalctl -u evebox gave lots of errors like:

Jan 11 05:39:26 xxxx 1792]: 2022-01-11 05:39:26 (purger.go:87) <Error> -- unable to open database file

Cleanup evebox db with the your commands solved the problem. Thanks.

1 Like
4

Now it is not working again. Errors are:

Jan 11 05:40:54 myhost.mydomain.de evebox[11135]: 2022-01-11 05:40:54 (evefileprocessor.go:146) <Error> -- Malformed event error: Failed to parse event: invalid character 't' after object key: {"timestamp":
Jan 11 05:40:54 myhost.mydomain.de evebox[11135]: 2022-01-11 05:40:54 (evefileprocessor.go:146) <Error> -- Malformed event error: Failed to parse event: invalid character 't' after object key: {"timestamp":
Jan 11 05:40:54 myhost.mydomain.de evebox[11135]: 2022-01-11 05:40:54 (evefileprocessor.go:146) <Error> -- Malformed event error: Failed to parse event: invalid character 't' after object key: {"timestamp":
Jan 11 05:40:54 myhost.mydomain.de evebox[11135]: 2022-01-11 05:40:54 (anonymous.go:64) <Info> -- Logging in anonymous user {anonymous} from 127.0.0.1:49258
Jan 11 05:41:00 myhost.mydomain.de evebox[11135]: 2022-01-11 05:41:00 (anonymous.go:64) <Info> -- Logging in anonymous user {anonymous} from 10.1.254.4
Jan 11 06:41:45 myhost.mydomain.de evebox[11135]: 2022-01-11 06:41:45 (sessionstore.go:64) <Info> -- Expiring session -- addr=127.0.0.1:49258 username=anonymous
Jan 11 07:43:03 myhost.mydomain.de evebox[11135]: 2022-01-11 07:43:03 (evefileprocessor.go:192) <Error> -- No EOF seen in 60 seconds of log processing. May be overloaded
Jan 11 08:51:15 myhost.mydomain.de evebox[11135]: 2022-01-11 08:51:15 (evefileprocessor.go:192) <Error> -- No EOF seen in 60 seconds of log processing. May be overloaded
Jan 11 10:34:02 myhost.mydomain.de evebox[11135]: 2022-01-11 10:34:02 (evefileprocessor.go:192) <Error> -- No EOF seen in 60 seconds of log processing. May be overloaded