From fbb82502b2f962a686b562fb5e45ceabc57d8553 Mon Sep 17 00:00:00 2001
From: Michel Oosterhof <michel@oosterhof.net>
Date: Sat, 25 Aug 2018 03:25:29 +0400
Subject: [PATCH] Update docs/readme with new var paths

---
 INSTALL.md |  4 ++--
 README.md  | 12 ++++++------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/INSTALL.md b/INSTALL.md
index c852d2a7..ef0ffacb 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -184,7 +184,7 @@ Update the bin/cowrie script, change:
 ## Configure Additional Output Plugins (OPTIONAL)
 
 Cowrie automatically outputs event data to text and JSON log files
-in ~/cowrie/log.  Additional output plugins can be configured to
+in `var/log/cowrie`.  Additional output plugins can be configured to
 record the data other ways.  Supported output plugins include:
 
 * Cuckoo
@@ -194,7 +194,7 @@ record the data other ways.  Supported output plugins include:
 * Splunk
 * SQL (MySQL, SQLite3, RethinkDB)
 
-See ~/cowrie/doc/[Output Plugin]/README.md for details.
+See ~/cowrie/docs/[Output Plugin]/README.md for details.
 
 
 ## Troubleshooting
diff --git a/README.md b/README.md
index 975a6202..630f1b70 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,7 @@ Some interesting features:
 * Possibility of adding fake file contents so the attacker can `cat` files such as `/etc/passwd`. Only minimal file contents are included
 * Session logs are stored in an [UML Compatible](http://user-mode-linux.sourceforge.net/)  format for easy replay with original timings with the `bin/playlog` utility.
 * Cowrie saves files downloaded with wget/curl or uploaded with SFTP and scp for later inspection
-
+log
 Additional functionality over standard kippo:
 
 * SFTP and SCP support for file upload
@@ -56,15 +56,15 @@ For Python dependencies, see requirements.txt
 ## Files of interest:
 
 * `cowrie.cfg` - Cowrie's configuration file. Default values can be found in `etc/cowrie.cfg.dist`
-* `data/fs.pickle` - fake filesystem
+* `share/cowrie/fs.pickle` - fake filesystem
 * `data/userdb.txt` - credentials allowed or disallowed to access the honeypot
-* `dl/` - files transferred from the attacker to the honeypot are stored here
 * `honeyfs/` - file contents for the fake filesystem - feel free to copy a real system here or use `bin/fsctl`
 * `honeyfs/etc/issue.net` - pre-login banner
 * `honeyfs/etc/motd` - post-login banner
-* `log/cowrie.json` - transaction output in JSON format
-* `log/cowrie.log` - log/debug output
-* `log/tty/*.log` - session logs
+* `var/log/cowrie/cowrie.json` - transaction output in JSON format
+* `var/log/cowrie/cowrie.log` - log/debug output
+* `var/lib/cowrie/tty/` - session logs, replayable with the `bin/playlog` utility.
+* `var/lib/cowrie/downloads/` - files transferred from the attacker to the honeypot are stored here
 * `txtcmds/` - file contents for the fake commands
 * `bin/createfs` - used to create the fake filesystem
 * `bin/playlog` - utility to replay session logs