From e4da268684d2f5ff8f543029eb611007945eecaa Mon Sep 17 00:00:00 2001 From: Will Godsall Date: Sat, 18 Feb 2017 15:28:59 +0000 Subject: [PATCH] Added Graylog Documentation (#454) --- doc/graylog/README.md | 55 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 doc/graylog/README.md diff --git a/doc/graylog/README.md b/doc/graylog/README.md new file mode 100644 index 00000000..397f2f25 --- /dev/null +++ b/doc/graylog/README.md @@ -0,0 +1,55 @@ +# How to process Cowrie output into Graylog + + +## Prerequisites + +* Working Cowrie installation +* Working Graylog installation + +## Cowrie Configuration + + +* Open the Cowrie configuration file and uncomment these 3 lines. + +``` +[output_localsyslog] +facility = USER +format = text +``` + +* Restart Cowrie + +## Graylog Configuration + +* Open the Graylog web interface and click on the **System** drop-down in the top menu. From the drop-down menu select **Inputs**. Select **Syslog UDP** from the drop-down menu and click the **Launch new input** button. In the modal dialog enter the following information. + +**Title:** Cowrie +**Port:** 8514 +**Bind address:** 127.0.0.1 + +* Then click **Launch.** + +## Syslog Configuration + +* Create a rsyslog configuration file in /etc/rsyslog.d + +``` +$ sudo nano /etc/rsyslog.d/85-graylog.conf +``` + +* Add the following lines to the file + +``` +$template GRAYLOGRFC5424,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msg%\n" +*.* @127.0.0.1:8514;GRAYLOGRFC5424 +``` + +* Save and quit. + +* Restart rsyslog + +``` +$ sudo service rsyslog restart +``` + +