Rooba
/
cowrie
mirror of https://github.com/cowrie/cowrie.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

more

This commit is contained in:
Michel Oosterhof 2015-02-04 09:13:29 +00:00
parent ef4e77a90c
commit a8ec25655f
1 changed files with 27 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
utils/elk/README.md
View File

@ -1,16 +1,33 @@
How to process Kippo output in an ELK stack # How to process Kippo output in an ELK stack
===========================================
(Note: work in progress, instructions are not verified) (Note: work in progress, instructions are not verified)
## Prerequisites
* Working Kippo installation
* Kippo JSON log file (enable database json in kippo.cfg)
## Installation
* Install logstash, elasticsearch and kibana * Install logstash, elasticsearch and kibana
``` ```
apt-get install logstash apt-get install logstash
apt-get install elasticsearch apt-get install elasticsearch
apt-get install kibana
```` ````
* Install Kibana
This may be different depending on your operating system. Kibana will need additional components such as a web server
## ElasticSearch Configuration
TBD
## Logstash Configuration
* Download GeoIP data * Download GeoIP data
``` ```
@ -24,6 +41,11 @@ wget http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz
``` ```
cp logstash-kippo.conf /etc/logstash/conf.d cp logstash-kippo.conf /etc/logstash/conf.d
```
* Make sure the configuration file is correct. Check the input section (path), filter (geoip databases) and output (elasticsearch hostname)
```
service logstash restart service logstash restart
``` ```
@ -41,3 +63,5 @@ tail /tmp/kippo-logstash.log
http://<hostname>:9200/_search?q=kippo&size=5 http://<hostname>:9200/_search?q=kippo&size=5
``` ```
* If this gives output, your data is correctly loaded into ElasticSearch