0.21.0 - 2025-07-27

Changed

• API routes simplified by removing version prefix (/api/1/* to /api/*)
  • Legacy /api/1/submit endpoint retained for backward compatibility with older agents
• Agent systemd service now uses /var/lib/evebox as default data directory
  • Prevents bookmark files from being created in root directory
  • Data directory can be overridden via environment variable
• Container build process updated to properly handle devel branch tagging

Performance

• Server processor read efficiency optimized by replacing sleep(0) with yield_now()
  • Improves CPU utilization and reduces unnecessary spinning

Fixed

• Fixed Debian package installation by ensuring /var/lib/evebox directory is created
  • Resolves issues when evebox services use EVEBOX_DATA_DIRECTORY=/var/lib/evebox
  • Fixes #346

Technical Updates

• Updated to Axum web framework latest version
• Updated Rust MSRV to 1.82.0
• Updated dependencies:
  • nom parser updated to version 8
  • maxminddb updated
  • Various other Cargo dependencies updated

• Feature to fit screen height instead of number of rows. Only
  available for alerts.
• [fix] Pagination fixes.
• Kibana inspired filters. This is still a work in progress.
• [fix] Handle "null" or "empty" IP addresses.
• [fix] [sqlite] Fix negated queries.
• [webapp] Attempt to resolve IP addresses to hostnames using DNS
  records. This is still a work in progress.
• [fix] [opensearch] Fixes for OpenSearch as features only available in
  Elasticsearch were being used. This increases compatiblity with
  OpenSearch as its used by ClearNDR (formerly SELKS).
• [eve2pcap] Use SID as filename when available.
• [webapp] Allow user to choose local time or UTC time:
  #161
• Auto-archive events by filter:
  #52
• [sqlite] Use server side events to stream back data such as
  aggregations, so updates in the UI can start right away.
• [elastic] Support custom certificate authority: #222
• Auto archive events by date. Allows users to set a number of days,
  events older will be automatically archived.

0.19.0 - 2024-12-13

• [server] Don't forget session on server restart. Persists session
  tokens in the config db.
• Reduced data between client and server for inbox/alert views.
• Move to sqlx for database.
• Move to chrono for time.
• Re-add commenting, this for SQLite as well:
  #271
• Send less data for alert views:
  #261
• [alerts] Display sni and/or rrname in alerts view. Useful for
  alerts using sni or rrname as an IOC.
• [webapp] Re-add logout button. Disappeared in the move to SolidJS:
  #315
• Start on a JA4 report, a bit crude but working.
• Support JA4db with an update tool and an API endpoint to update it.
• Support Suricata 8 DNS v3 records.

Full Changelog: 0.18.1...0.18.2

What's Changed

• build(deps): bump follow-redirects from 1.15.5 to 1.15.6 in /webapp by @dependabot in #300

Full Changelog: 0.18.0...0.18.1

What's Changed

• build(deps-dev): bump vite from 3.2.5 to 3.2.7 in /webapp by @dependabot in #276

Full Changelog: 0.17.0...0.18.0

0.17.2 - 2023-05-27

• [elastic] Fixing negation queries using '-':
  #266
• [server] Don't error out if authentication enabled but no users
  exist, instead just log an error:
  #267
• [webapp] Use relative login URL:
  #268
• [packaging] Fix quotes in systemd unit files:
  #270

0.17.1 - 2023-03-27

• [elastic] Fix timestamp used in archive queries:
  #263

• Move to SolidJS for frontend development.
• New special query string keywords:
  • @ip: match src_ip or dest_ip, and other fields known to be IP addresses
  • @earliest:TIMESTAMP
  • @latest:TIMESTAMP
• Feature parity between SQLite and Elasticsearch. This means that
  some reports were removed, but should come back for both SQLite and
  Elasticsearch: #95
• [sqlite] Enable event retention by default to a value of 7 days. If
  an SQLite database becomes too large, it can be hard to trim back
  down to a usable size without significant downtime.
• Start on a new overview report.
• Fix issue where alert report graph didn't refresh over time change:
  #247
• Don't allow the agent to send a payload larger than the server can
  receive: #248
• [webapp] Fix broken filter on SIDs search:
  #251
• [packaging] Add default configuration file:
  #221
• [webapp] Alert graph failing to refresh on time range change:
  #247
• [agent] Add Elasticsearch as the submission endpoint for events.
• [elastic-import] Deprecated, use the agent instead.
• [sqlite] Database file size based event retention:
  #256
• [server] Fix PCAP downloads when authentication fails:
  #262

• [server] Fix authentication:
  #227,
  #230
• [server] Auto archive: #52
• [webapp] Update to Bootstrap 5
• [webapp] Update to Angular 14
• [sqlite] Typo when opening sqlite database:
  #226
• Many cleanups from 0.15.0