mirror of https://github.com/cowrie/cowrie.git
c684333813
* share_path -> data_path This is a breaking change that moves static files to the src directory in preparation of distribution on pypi * release 2.6.0 |
||
---|---|---|
.. | ||
README.rst |
README.rst
How to send Cowrie output to Graylog #################################### This guide describes how to configure send cowrie outputs to graylog via syslog and http gelf input. Prerequisites ************* * Working Cowrie installation * Working Graylog installation Cowrie Configuration ******************** Using Syslog ============ Open the Cowrie configuration file and enable localsyslog output:: [output_localsyslog] enabled = true facility = USER format = text Restart Cowrie Using GELF HTTP Input ===================== Open the Cowrie configuration file and find this block :: [output_graylog] enabled = false url = http://127.0.0.1:12201/gelf Enable this block and specify url of your input. Restart Cowrie Graylog Configuration ********************* Syslog Input ============ Open the Graylog web interface and click on the **System** drop-down in the top menu. From the drop-down menu select **Inputs**. Select **Syslog UDP** from the drop-down menu and click the **Launch new input** button. In the modal dialog enter the following information:: **Title:** Cowrie **Port:** 8514 **Bind address:** 127.0.0.1 Then click **Launch.** GELF HTTP Input =============== Open the Graylog web interface and click on the **System** drop-down in the top menu. From the drop-down menu select **Inputs**. Select **GELF HTTP** from the drop-down menu and click the **Launch new input** button. In the modal dialog enter the information about your input. Then click **Launch.** Note: - Do not remove **/gelf** from the end of URL block, expect of case when your proxing this address behind nginx; Parsing Cowrie JSON =================== Extractor --------- Click **Manage Extractors** near created input. On new page click **Actions** -> **Import extractors** and paste this config :: { "extractors": [ { "title": "Cowrie Json Parser", "extractor_type": "json", "converters": [], "order": 0, "cursor_strategy": "copy", "source_field": "message", "target_field": "", "extractor_config": { "list_separator": ", ", "kv_separator": "*", "key_prefix": "", "key_separator": "_", "replace_key_whitespace": false, "key_whitespace_replacement": "_" }, "condition_type": "none", "condition_value": "" } ], "version": "4.2.1" } Pipeline -------- When running Graylog with the Forwarder input, traditional extractors are not available. Instead, you can use a pipeline rule to parse the JSON data. Create a Stream and add the Cowrie logs to it. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ **Streams** -> **Create Stream** -> **Title:** Cowrie -> **Description:** Cowrie logs -> **Create Stream** Create a Stream Rule for the Cowrie Stream. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ **Streams** -> **Cowrie** -> **Manage Rules** -> **Add Stream Rule** -> **Type:** `match input` **Input:** `Cowrie (GELF HTTP)` -> **Save** Create a Pipeline Rule for the Cowrie Stream. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ **System** -> **Pipelines** -> **Manage rules** -> **Create Rule** -> **Use Source Code Editor** Paste the following code into the Rule source:: rule "Parse Cowrie message" when has_field("message") then // If you want to keep the original message, uncomment the following line and comment out the next line. //let json_string = regex_replace("\"message\"", to_string($message.message), "\"cowrie_message\""); let json_string = to_string($message.message); let json = parse_json(json_string); let map = to_map(json); set_fields(map); end Create a Pipeline for the Cowrie Stream. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ **System** -> **Pipelines** -> **Manage pipelines** -> **Add new pipeline** -> **Title:** `Parse Cowrie logs` -> **Description:** Cowrie logs -> **Create Pipeline** Under the **Pipeline connections** section, connect the Cowrie Stream to the Pipeline by clicking the **Edit connections** button and selecting the Cowrie Stream. Under Pipeline Stages, edit Stage 0 and add the Pipeline Rule to the Stage. Syslog Configuration (For Syslog Output only) ********************************************* Create a rsyslog configuration file in /etc/rsyslog.d:: $ sudo nano /etc/rsyslog.d/85-graylog.conf Add the following lines to the file:: $template GRAYLOGRFC5424,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msg%\n" *.* @127.0.0.1:8514;GRAYLOGRFC5424 Restart rsyslog:: $ sudo service rsyslog restart