This guide describes how to configure send cowrie outputs to graylog via syslog and http gelf input.
- Working Cowrie installation
- Working Graylog installation
Open the Cowrie configuration file and uncomment these 3 lines:
[output_localsyslog]
facility * USER
format * text
Restart Cowrie
Open the Cowrie configuration file and find this block :
[output_graylog]
enabled * false
url * http://127.0.0.1:12201/gelf
Enable this block and specify url of your input.
Restart Cowrie
Open the Graylog web interface and click on the System drop-down in the top menu. From the drop-down menu select Inputs. Select Syslog UDP from the drop-down menu and click the Launch new input button. In the modal dialog enter the following information:
**Title:** Cowrie
**Port:** 8514
**Bind address:** 127.0.0.1
Then click Launch.
Open the Graylog web interface and click on the System drop-down in the top menu. From the drop-down menu select Inputs. Select GELF HTTP from the drop-down menu and click the Launch new input button. In the modal dialog enter the information about your input.
Click Manage Extractors near created input. On new page click Actions -> Import extractors and paste this config :
{
"extractors": [
{
"title": "Cowrie Json Parser",
"extractor_type": "json",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"list_separator": ", ",
"kv_separator": "*",
"key_prefix": "",
"key_separator": "_",
"replace_key_whitespace": false,
"key_whitespace_replacement": "_"
},
"condition_type": "none",
"condition_value": ""
}
],
"version": "4.2.1"
}
Then click Launch.
Note:
- Do not remove /gelf from the end of URL block, expect of case when your proxing this address behind nginx;
Create a rsyslog configuration file in /etc/rsyslog.d:
$ sudo nano /etc/rsyslog.d/85-graylog.conf
Add the following lines to the file:
$template GRAYLOGRFC5424,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msg%\n"
*.* @127.0.0.1:8514;GRAYLOGRFC5424
Restart rsyslog:
$ sudo service rsyslog restart