Rooba
/
cowrie
mirror of https://github.com/cowrie/cowrie.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added Graylog Documentation (#454)

This commit is contained in:
Will Godsall 2017-02-18 15:28:59 +00:00 committed by Michel Oosterhof
parent bf17c379fd
commit e4da268684
1 changed files with 55 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
doc/graylog/README.md Normal file
View File

@ -0,0 +1,55 @@
# How to process Cowrie output into Graylog
## Prerequisites
* Working Cowrie installation
* Working Graylog installation
## Cowrie Configuration
* Open the Cowrie configuration file and uncomment these 3 lines.
```
[output_localsyslog]
facility = USER
format = text
```
* Restart Cowrie
## Graylog Configuration
* Open the Graylog web interface and click on the **System** drop-down in the top menu. From the drop-down menu select **Inputs**. Select **Syslog UDP** from the drop-down menu and click the **Launch new input** button. In the modal dialog enter the following information.
**Title:** Cowrie
**Port:** 8514
**Bind address:** 127.0.0.1
* Then click **Launch.**
## Syslog Configuration
* Create a rsyslog configuration file in /etc/rsyslog.d
```
$ sudo nano /etc/rsyslog.d/85-graylog.conf
```
* Add the following lines to the file
```
$template GRAYLOGRFC5424,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msg%\n"
*.* @127.0.0.1:8514;GRAYLOGRFC5424
```
* Save and quit.
* Restart rsyslog
```
$ sudo service rsyslog restart
```