Adding Other Cowrie JSON
#1090
Replies: 1 comment
-
|
hello, any suggestion for this one ? I want create as much as possible cowrie in other infrastructure without need to install many modules just cowrie... thank you |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello,
I changed logstash.conf according to https://github.com/telekom-security/tpotce/wiki/Reconfigure-logstash.conf to read new json file from other cowrie honeypot as following:
Cowrie
file {
path => ["/data/cowrie/log/cowrie.json"]
codec => json
type => "Cowrie"
}
Cowrie DC01
file {
path => ["/data/cowrie/log/cowriedc01.json"]
codec => json
type => "Cowrie"
}
Also I already copy cowriedc01.json from other cowrie honeypot to the T-Pot and change the permission 664 and owner to tpot:tpot. After that I run tpot again and I can see logstash now use new configuration but I did not see new dst_ip (as other cowrie's IP) in the elasticsearch, looks like logstash just ignore cowriedc01.json.
So how do I make T-Pot process other cowrie's json log from other honeypot and display them to Kibana ?
Thank you
Beta Was this translation helpful? Give feedback.
All reactions