mirror of https://github.com/cowrie/cowrie.git
106 lines
2.8 KiB
ReStructuredText
106 lines
2.8 KiB
ReStructuredText
How to send Cowrie output to Graylog
|
|
####################################
|
|
|
|
This guide describes how to configure send cowrie outputs to graylog via syslog and http gelf input.
|
|
|
|
Prerequisites
|
|
*************
|
|
|
|
* Working Cowrie installation
|
|
* Working Graylog installation
|
|
|
|
Cowrie Configuration
|
|
********************
|
|
|
|
Using Syslog
|
|
============
|
|
|
|
Open the Cowrie configuration file and uncomment these 3 lines::
|
|
|
|
[output_localsyslog]
|
|
facility * USER
|
|
format * text
|
|
|
|
Restart Cowrie
|
|
|
|
Using GELF HTTP Input
|
|
=====================
|
|
|
|
Open the Cowrie configuration file and find this block ::
|
|
|
|
[output_graylog]
|
|
enabled * false
|
|
url * http://127.0.0.1:12201/gelf
|
|
|
|
Enable this block and specify url of your input.
|
|
|
|
Restart Cowrie
|
|
|
|
Graylog Configuration
|
|
*********************
|
|
|
|
Syslog Input
|
|
============
|
|
|
|
Open the Graylog web interface and click on the **System** drop-down in the top menu. From the drop-down menu select **Inputs**. Select **Syslog UDP** from the drop-down menu and click the **Launch new input** button. In the modal dialog enter the following information::
|
|
|
|
**Title:** Cowrie
|
|
**Port:** 8514
|
|
**Bind address:** 127.0.0.1
|
|
|
|
Then click **Launch.**
|
|
|
|
GELF HTTP Input
|
|
===============
|
|
|
|
Open the Graylog web interface and click on the **System** drop-down in the top menu. From the drop-down menu select **Inputs**. Select **GELF HTTP** from the drop-down menu and click the **Launch new input** button. In the modal dialog enter the information about your input.
|
|
|
|
Click **Manage Extractors** near created input. On new page click **Actions** -> **Import extractors** and paste this config ::
|
|
|
|
{
|
|
"extractors": [
|
|
{
|
|
"title": "Cowrie Json Parser",
|
|
"extractor_type": "json",
|
|
"converters": [],
|
|
"order": 0,
|
|
"cursor_strategy": "copy",
|
|
"source_field": "message",
|
|
"target_field": "",
|
|
"extractor_config": {
|
|
"list_separator": ", ",
|
|
"kv_separator": "*",
|
|
"key_prefix": "",
|
|
"key_separator": "_",
|
|
"replace_key_whitespace": false,
|
|
"key_whitespace_replacement": "_"
|
|
},
|
|
"condition_type": "none",
|
|
"condition_value": ""
|
|
}
|
|
],
|
|
"version": "4.2.1"
|
|
}
|
|
|
|
Then click **Launch.**
|
|
|
|
Note:
|
|
|
|
- Do not remove **/gelf** from the end of URL block, expect of case when your proxing this address behind nginx;
|
|
|
|
Syslog Configuration (For Syslog Output only)
|
|
*********************************************
|
|
|
|
Create a rsyslog configuration file in /etc/rsyslog.d::
|
|
|
|
$ sudo nano /etc/rsyslog.d/85-graylog.conf
|
|
|
|
Add the following lines to the file::
|
|
|
|
$template GRAYLOGRFC5424,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msg%\n"
|
|
*.* @127.0.0.1:8514;GRAYLOGRFC5424
|
|
|
|
Restart rsyslog::
|
|
|
|
$ sudo service rsyslog restart
|