Comprehensive report for multi json files on Embedded SQLite Database mode

[Kamalifar]

I use the evebox in Embedded SQLite Database mode in windows release version with the below command:

evebox -v -D . --datastore sqlite --input /var/log/suricata/eve.json

I have some files that I've already backed up from suricata (json file). I'd like to create a comprehensive report from all my files.

How can I do it?

[jasonish]

At this time reporting is only available with an Elastic Search backend. Its on the some day/maybe list. Probably when I work further on the PostgreSQL support, SQLite will also benefit from that.

[Kamalifar]

I added the json files one by one, manually. the evebox command line displays that committing the events when I replace the eve.json with another one.

In your opinion, does this gather all logs and integrate them or some logs may be overwritten?

[jasonish]

What was your command line for adding them one by one?

[Kamalifar]

I copied a eve.json file and ran this command first:

evebox -v -D . --datastore sqlite --input /var/log/suricata/eve.json

then I wait for committing all records then replaced another eve.json and so on.

[jasonish]

That should keep them all available then.

[Kamalifar]

That's great. Thanks a lot.

[jasonish]

Closing as a support request. Issue #95 opened for reporting with SQLite.