Added support for remote syslog logging (#2312)

* remote syslog output plugin * added tcp or udp support --------- Co-authored-by: mj <mj@kali>
2024-09-12 11:54:28 +02:00 · 2024-09-12 11:54:28 +02:00 · 25f4ffd58b
parent 0ba0ae397c
commit 25f4ffd58b
2 changed files with 51 additions and 0 deletions
--- a/etc/cowrie.cfg.dist
+++ b/etc/cowrie.cfg.dist
@ -1085,3 +1085,11 @@ authtype = instance_principals
 #tenancy_ocid = ocid1.tenancy.oc1..xxx
 #region = eu-stockholm-1
 #keyfile = /home/xx/key.pem
+
+[output_remotesyslog]
+enabled = false
+host = 127.0.0.1
+port = 514
+# protocol options: udp or tcp
+# (default: udp)
+protocol = udp
--- a/src/cowrie/output/remotesyslog.py
+++ b/src/cowrie/output/remotesyslog.py
@ -0,0 +1,43 @@
+"""
+Simple remote syslog plugin.
+"""
+
+import cowrie.core.output
+
+import logging
+import logging.handlers
+import socket
+from cowrie.core.config import CowrieConfig
+
+
+class Output(cowrie.core.output.Output):
+
+    def start(self):
+        self.host = CowrieConfig.get(
+            "output_remotesyslog", "host", fallback="127.0.0.1"
+        )
+
+        self.port = int(CowrieConfig.get("output_remotesyslog", "port", fallback="514"))
+
+        protocol = CowrieConfig.get("output_remotesyslog", "protocol", fallback="udp").lower()
+
+        self.logger = logging.getLogger("cowrieLogger")
+
+        self.handler = logging.handlers.SysLogHandler(address = (self.host, self.port), socktype= None if protocol == 'udp' else socket.SOCK_STREAM)
+
+        self.logger.addHandler(
+           self.handler
+        )
+
+    def stop(self):
+        self.handler.flush()
+        self.logger.removeHandler(self.handler)
+        self.handler.close()
+
+    def write(self, event):
+        for i in list(event.keys()):
+            # Remove twisted 15 legacy keys
+            if i.startswith("log_") or i == "time" or i == "system":
+                del event[i]
+
+        self.logger.warning(repr(event)+'\n')