mirror of https://github.com/cowrie/cowrie.git
bdff9601ca
From Markdown to RestructuredText |
||
|---|---|---|
| .. | ||
| README.rst | ||
README.rst
How to process Cowrie output into Graylog
############################################
Prerequisites
======================
* Working Cowrie installation
* Working Graylog installation
Cowrie Configuration
======================
Open the Cowrie configuration file and uncomment these 3 lines::
[output_localsyslog]
facility = USER
format = text
Restart Cowrie
Graylog Configuration
======================
Open the Graylog web interface and click on the **System** drop-down in the top menu. From the drop-down menu select **Inputs**. Select **Syslog UDP** from the drop-down menu and click the **Launch new input** button. In the modal dialog enter the following information::
**Title:** Cowrie
**Port:** 8514
**Bind address:** 127.0.0.1
Then click **Launch.**
Syslog Configuration
======================
Create a rsyslog configuration file in /etc/rsyslog.d::
$ sudo nano /etc/rsyslog.d/85-graylog.conf
Add the following lines to the file::
$template GRAYLOGRFC5424,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msg%\n"
*.* @127.0.0.1:8514;GRAYLOGRFC5424
Save and quit.
Restart rsyslog::
$ sudo service rsyslog restart