mirror of https://github.com/cowrie/cowrie.git
56 lines
1.1 KiB
Markdown
56 lines
1.1 KiB
Markdown
|
# How to process Cowrie output into Graylog
|
||
|
|
|
||
|
|
|
||
|
|
## Prerequisites
|
||
|
|
|
||
|
|
* Working Cowrie installation
|
||
|
|
* Working Graylog installation
|
||
|
|
|
||
|
|
## Cowrie Configuration
|
||
|
|
|
||
|
|
|
||
|
|
* Open the Cowrie configuration file and uncomment these 3 lines.
|
||
|
|
|
||
|
|
```
|
||
|
|
[output_localsyslog]
|
||
|
|
facility = USER
|
||
|
|
format = text
|
||
|
|
```
|
||
|
|
|
||
|
|
* Restart Cowrie
|
||
|
|
|
||
|
|
## Graylog Configuration
|
||
|
|
|
||
|
|
* Open the Graylog web interface and click on the **System** drop-down in the top menu. From the drop-down menu select **Inputs**. Select **Syslog UDP** from the drop-down menu and click the **Launch new input** button. In the modal dialog enter the following information.
|
||
|
|
|
||
|
|
**Title:** Cowrie
|
||
|
|
**Port:** 8514
|
||
|
|
**Bind address:** 127.0.0.1
|
||
|
|
|
||
|
|
* Then click **Launch.**
|
||
|
|
|
||
|
|
## Syslog Configuration
|
||
|
|
|
||
|
|
* Create a rsyslog configuration file in /etc/rsyslog.d
|
||
|
|
|
||
|
|
```
|
||
|
|
$ sudo nano /etc/rsyslog.d/85-graylog.conf
|
||
|
|
```
|
||
|
|
|
||
|
|
* Add the following lines to the file
|
||
|
|
|
||
|
|
```
|
||
|
|
$template GRAYLOGRFC5424,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msg%\n"
|
||
|
|
*.* @127.0.0.1:8514;GRAYLOGRFC5424
|
||
|
|
```
|
||
|
|
|
||
|
|
* Save and quit.
|
||
|
|
|
||
|
|
* Restart rsyslog
|
||
|
|
|
||
|
|
```
|
||
|
|
$ sudo service rsyslog restart
|
||
|
|
```
|
||
|
|
|
||
|
|
|