cowrie/utils/elk/README.md

# How to process Cowrie output in an ELK stack

(Note: work in progress, instructions are not verified)


## Prerequisites

* Working Cowrie installation
* Cowrie JSON log file (enable database json in cowrie.cfg)

## Installation

* Install logstash, elasticsearch and kibana

```
apt-get install logstash
apt-get install elasticsearch
````

* Install Kibana

This may be different depending on your operating system. Kibana will need additional components such as a web server


## ElasticSearch Configuration

TBD

## Logstash Configuration

* Download GeoIP data

```
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
wget http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz
```

* Place these somewhere in your filesystem.

* Configure logstash

```
cp logstash-cowrie.conf /etc/logstash/conf.d
```

* Make sure the configuration file is correct. Check the input section (path), filter (geoip databases) and output (elasticsearch hostname)

```
service logstash restart
```

* By default the logstash is creating debug logs in /tmp.

* To test whether logstash is working correctly, check the file in /tmp

```
tail /tmp/cowrie-logstash.log
```

* To test whether data is loaded into ElasticSearch, run the following query:

```
http://<hostname>:9200/_search?q=cowrie&size=5
```

* If this gives output, your data is correctly loaded into ElasticSearch
cowrie rename 2015-05-12 14:57:29 +00:00			`# How to process Cowrie output in an ELK stack`
move ELK files to separate dir and add HOWTO 2015-02-03 18:10:29 +00:00
			`(Note: work in progress, instructions are not verified)`

more 2015-02-04 09:13:29 +00:00
			`## Prerequisites`

cowrie rename 2015-05-12 14:57:29 +00:00			`* Working Cowrie installation`
			`* Cowrie JSON log file (enable database json in cowrie.cfg)`
more 2015-02-04 09:13:29 +00:00
			`## Installation`

move ELK files to separate dir and add HOWTO 2015-02-03 18:10:29 +00:00			`* Install logstash, elasticsearch and kibana`

rename to standard directory index in github 2015-02-03 20:29:57 +00:00			```
			`apt-get install logstash`
			`apt-get install elasticsearch`
			````
move ELK files to separate dir and add HOWTO 2015-02-03 18:10:29 +00:00
more 2015-02-04 09:13:29 +00:00			`* Install Kibana`

			`This may be different depending on your operating system. Kibana will need additional components such as a web server`


			`## ElasticSearch Configuration`

			`TBD`

			`## Logstash Configuration`

move ELK files to separate dir and add HOWTO 2015-02-03 18:10:29 +00:00			`* Download GeoIP data`

rename to standard directory index in github 2015-02-03 20:29:57 +00:00			```
			`wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz`
			`wget http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz`
			```
move ELK files to separate dir and add HOWTO 2015-02-03 18:10:29 +00:00
			`* Place these somewhere in your filesystem.`

			`* Configure logstash`

rename to standard directory index in github 2015-02-03 20:29:57 +00:00			```
cowrie rename 2015-05-12 14:57:29 +00:00			`cp logstash-cowrie.conf /etc/logstash/conf.d`
more 2015-02-04 09:13:29 +00:00			```

			`* Make sure the configuration file is correct. Check the input section (path), filter (geoip databases) and output (elasticsearch hostname)`

			```
rename to standard directory index in github 2015-02-03 20:29:57 +00:00			`service logstash restart`
			```
move ELK files to separate dir and add HOWTO 2015-02-03 18:10:29 +00:00
updated 2015-02-03 19:54:02 +00:00			`* By default the logstash is creating debug logs in /tmp.`

			`* To test whether logstash is working correctly, check the file in /tmp`

rename to standard directory index in github 2015-02-03 20:29:57 +00:00			```
cowrie rename 2015-05-12 14:57:29 +00:00			`tail /tmp/cowrie-logstash.log`
rename to standard directory index in github 2015-02-03 20:29:57 +00:00			```
updated 2015-02-03 19:54:02 +00:00
			`* To test whether data is loaded into ElasticSearch, run the following query:`

rename to standard directory index in github 2015-02-03 20:29:57 +00:00			```
cowrie rename 2015-05-12 14:57:29 +00:00			`http://<hostname>:9200/_search?q=cowrie&size=5`
rename to standard directory index in github 2015-02-03 20:29:57 +00:00			```
updated 2015-02-03 19:54:02 +00:00
more 2015-02-04 09:13:29 +00:00			`* If this gives output, your data is correctly loaded into ElasticSearch`