Setting up ELK to work with Cowrie

[bontchev]

Hello folks,

I'd like to use Kibana to visualize the events in the Cowrie log and have been failing so far. Yes, I have read this article and also issue #402, as well as the documentation.

To begin with, my setup is fairly simple - just one Cowrie honeypot and ELK installed on the same machine (and supposed to be used on the same machine). So, I don't need Filebeat to ship logs to another machine, correct? Also, I gather from issue #402 that I no longer need an nginx server like the first article mentioned above says, yes?

So far I've done the following:

1. Installed elasticsearch, logstash and kibana on the same virtual machine where Cowrie is.
2. Created /var/log/kibana and modified /etc/kibana/kibana.yml according to the documentation.
3. Downloaded the GeoIP data and put it in /var/opt/logstash/vendor/geoip/.
4. Copied cowrie/doc/elk/logstash-cowrie.conf to /etc/logstash/conf.d/ after modifying some paths to make sure they reflect my environment.
5. Started the service logstash.

However, the file /tmp/cowrie-logstash.log is not created. What am I missing? Do I need to change some ownerships - e.g., stuff in /etc/logstash/ is currently owned by root.

Also, does this mean that with this setup Kibana can visualize only one day's worth of data? The file cowrie.json gets renamed after midnight and a new one is created.

[fe7ch]

@bontchev Hey. Since I've spent some time on setting up Kibana, I'll try to help you with it.

First of all, Could you please specify what ELK stack version do you use? (5.x or below?)

If /tmp/cowrie-logstash.log wasn't created, it means that something is wrong with logstash's setup.

Did you validate your logstash config? (for logstash 5.x: /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash-cowrie.conf -t)
What is written in logstash's logs? (/var/log/logstash/)

does this mean that with this setup Kibana can visualize only one day's worth of data?

Nope, Kibana could visualize all data that is indexed by Elasticsearch.

The file cowrie.json gets renamed after midnight and a new one is created.

It's not a problem for Logstash and Filebeat. They could detect log rotation.

[bontchev]

@fe7ch Thanks for willing to help me.

I use version 5.2.0 - the latest I can get with apt-get from the ELK repository.

Trying to validate the setup complains about the Java or Ruby version, I think:

LoadError: JRuby ext built for wrong Java version in `com.purbon.jrmonitor.JRMonitorService': java.lang.UnsupportedClassVersionError: com/purbon/jrmonitor/JRMonitorService : Unsupported major.minor version 52.0
  require at org/jruby/RubyKernel.java:1040
   (root) at /usr/share/logstash/vendor/bundle/jruby/1.9/gems/jrmonitor-0.4.2/lib/jrmonitor.rb:4
  require at org/jruby/RubyKernel.java:1040
   (root) at /usr/share/logstash/logstash-core/lib/logstash/instrument/periodic_poller/jvm.rb:1
  require at org/jruby/RubyKernel.java:1040
   (root) at /usr/share/logstash/logstash-core/lib/logstash/instrument/periodic_poller/jvm.rb:5
  require at org/jruby/RubyKernel.java:1040
   (root) at /usr/share/logstash/logstash-core/lib/logstash/instrument/periodic_pollers.rb:1
  require at org/jruby/RubyKernel.java:1040
   (root) at /usr/share/logstash/logstash-core/lib/logstash/instrument/periodic_pollers.rb:3
  require at org/jruby/RubyKernel.java:1040
   (root) at /usr/share/logstash/lib/bootstrap/environment.rb:70

There is nothing in /var/log/logstash/.

[fe7ch]

Quick googling of this message says that you need update your Java version to 8th version. (elastic/logstash#6397)

[bontchev]

OK, I installed Java version 1.8.0_121 and made it the default. Now trying to validate the config file produces a different error message - about a missing logstash.yml. The documentation doesn't mention anything about it. Where is it supposed to reside and what is it supposed to contain?

Also, errors about /usr/share/logstash/data not being writable - but that's probably because there is no config file telling it to use another place?

WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs to console
13:56:44.101 [main] FATAL logstash.runner - An unexpected error occurred! {:error=>#<ArgumentError: Path "/usr/share/logstash/data" must be a writable directory. It is not writable.>, :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/settings.rb:420:in `validate'", "/usr/share/logstash/logstash-core/lib/logstash/settings.rb:202:in `validate_value'", "/usr/share/logstash/logstash-core/lib/logstash/settings.rb:118:in `validate_all'", "org/jruby/RubyHash.java:1342:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/settings.rb:117:in `validate_all'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:210:in `execute'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:67:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:183:in `run'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:132:in `run'", "/usr/share/logstash/lib/bootstrap/environment.rb:71:in `(root)'"]}

[fe7ch]

Not the ideal way, but it will do the trick:

cd /usr/share/logstash
sudo bin/logstash -f /etc/logstash/conf.d/logstash-cowrie.conf -t

[bontchev]

I think the config file validates, although I still get warnings:

WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs to console
Configuration OK
14:47:53.242 [LogStash::Runner] INFO  logstash.runner - Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash

Still nothing created in the /tmp/ directory, either.

[fe7ch]

So config is okey.

Is there any log files in /var/log/logstash/ ? Any errors listed?

[bontchev]

Yes, there is a constantly updated log file there. It's full of errors like this:

[2017-02-08T15:39:01,482][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>#<URI::HTTP:0xa83faa URL:http://localhost:9200/>, :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://localhost:9200/][Manticore::SocketException] Connection refused (Connection refused)"}

The elasticsearch service isn't running, I guess? Yep, that's it:

sudo service elasticsearch restart
 * Stopping Elasticsearch Server                                                                                                             [ OK ] 
 * Starting Elasticsearch Server                                                                                                                    
Java HotSpot(TM) Server VM warning: INFO: os::commit_memory(0x2ae00000, 2080374784, 0) failed; error='Cannot allocate memory' (errno=12)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (mmap) failed to map 2080374784 bytes for committing reserved memory.
# An error report file with more information is saved as:
# /tmp/hs_err_pid1213.log

2 Gb of memory is not enough?! Bummer... Won't work on this virtual machine, then. I'll try it on a physical one on Friday.

[fe7ch]

The amount of RAM that elasticsearch will use is controlled by -Xms,-Xmx in /etc/elasticsearch/jvm.options. By default it's set to "2g" that is 2Gb.

For testing purporses you may set it to 1Gb or less, but the value in both parameters should be the same.

How much RAM does your VM have?

[bontchev]

The VM has 2 Gb memory.

I changed that parameter to "1g" on both lines and tried to start the services. The elasticsearch service gave a [fail] again (instead of [OK]) but without an error message this time. The machine slowed to a crawl and now is frozen solid; I'll have to figure out how to recover.

I have no experience with Java - is it so memory-hungry? I thought it was supposed to be able to run on embedded devices and stuff...

[fe7ch]

I have no experience with Java - is it so memory-hungry?

I don't know about Java, but elasticsearch is. When you start elasticsearch it will try to lock the amount of memory you specified. Furthermore, swapping of elasticsearch's memory dramatically reduces elasticsearch's performance, that is why you also should make some configurations to ensure that OS won't swap elasticsearch's memory. Also, the amount of memory you give to elasticsearch should not exceed half of the VM's RAM.

All steps necessary to start elasticsearch, are described at official documentation: https://www.elastic.co/guide/en/elasticsearch/reference/current/setup.html . I recommend you to go through every step carefully, then it will be just a matter of configs to make it all (elasticsearch, logstash, kibana) work together.

[bontchev]

Goddammit... The VM is completely borked now. :( Is there a way to disable a service from starting at boot time in Linux - by holding a key or something? I can't open a terminal to do it the "normal" way. :(

There is no point trying any more with ELK on this VM. Clearly, 2 Gb Ram is not enough. I'll try it on a physical one. But I'd like to be able to re-gain control of this one, if possible - at least for running Cowrie on it...

[katkad]

@bontchev boot the VM with CD, edit what you need?

[bontchev]

@katkad, found a better way. Remembered that you can modify a VM's "hardware" while it is turned off. So, I gave it 4 Gb RAM. That's near the limit of what my 8 Gb host can handle, but it was enough to boot it successfully, open a terminal and disable the starting of these services at boot time.

[bontchev]

OK, I spent most of Friday trying to get this crap to work. Failed. Ready to give up - I suspect the problem is that elasticsearch simply won't run on my hardware.

I thought it was a 8 Gb RAM machine but, apparently, it only has 4 Gb RAM. Here is the output of free after I have Cowrie running, plus the Kibana and Logstash services started:

             total       used       free     shared    buffers     cached
Mem:       3918596    2685092    1233504      72852     218016     779404
-/+ buffers/cache:    1687672    2230924
Swap:      4067324    1274108    2793216

At this point (Cowrie and Logstash started but Elasticserach not started) shouldn't Logstash begin to produce output in the file /tmp/cowrie-logstash.log? Because this file still doesn't exist.

After validating the Elasticsearch config file (it validates OK but with warnings) and trying to start Elasticsearch:

* Starting Elasticsearch Server [fail]

but the machine slows down to a crawl and the memory now looks like this:

             total       used       free     shared    buffers     cached
Mem:       3918596    3787728     130868      55440      14732     188080
-/+ buffers/cache:    3584916     333680
Swap:      4067324    1805648    2261676

And still no logfile created.

Running wget "http://127.0.0.1:9200/_search?q=cowrie&size=5" -q -O - produces

{"took":13,"timed_out":false,"_shards":{"total":1,"successful":1,"failed":0},"hits":{"total":0,"max_score":null,"hits":[]}}

I give up. I can't get a 8-Gb RAM Linux machine for this task right now. I guess ELK is just not for me.

[funtimes-ninja]

@bontchev Have you looked at the java memory settings at all for that machine you are trying to get ELK running on? I had to increase the memory given to java to get the services to run. According to the docs you want to give java 1/2 of what your total memory of that machine is. You said earlier that you have an 8gig ram machine so you should look at setting your memory allocated to java to 4gigs. If your machine really only has 4 gigs, then set java memory to 2gigs.

You can make that change in the file below

vim /etc/elasticsearch/jvm.options

find the section with

# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space

-Xms1g
-Xmx1g

and change them to

-Xms4g
-Xmx4g

[funtimes-ninja]

I didn't read the whole conversation, seems this has already been covered. But going to leave my previous comment there incase it helps out somebody else.

[bontchev]

@funtimes-ninja, I thought my physical Linux machine had 8 Gb RAM - but, as free shows above, it apparently has only 4 Gb RAM. I can't get Elasticsearch work on that in the default configuration (Xms2g). I've already tried using Xms1g on a virtual machine and it works even less. It's hopeless.

[micheloosterhof]

You probably want to limit Xmx rather than Xms :)

[bontchev]

I set both to the same value.

[bontchev]

Something keeps bothering me. OK, so I can't set up Elasticsearch due to insufficient memory. And Kibana needs it to work, so it wouldn't work, either (although I haven't checked). But what about Logstash? Why isn't it creating the /tmp/cowrie-logstash.log file?

After digging around, I finally located the Logstash log file in /var/log/logstash/logstash-plain.log. According to the messages in it, it fails because the directory /usr/share/logstash/data/queue/ is not writable. And, indeed, this directory is owned by root and its permissions are drwxr-xr-x.

Who creates this directory? Should I change its owner to logstash? Or change the permissions to make it world-writable?

[fe7ch]

You probably want to limit Xmx rather than Xms :)

In fact, ES requires that both values were equal.

But what about Logstash? Why isn't it creating the /tmp/cowrie-logstash.log file?

If you want it to work without ES, you should comment ES in output section of logstash's config.

Who creates this directory? Should I change its owner to logstash?

I believe it must be owned by logstash, but won't be able to check it before monday.

I'm not sure about cowrie, but I had a VM with single CPU core and 4 Gb RAM that successfully hosted elasticsearch + logstash + kibana. So probably, your ELK stack must be tuned for better performance.

[bontchev]

OK, I manually changed the ownership of that directory to logstash. This probably needs to be covered in the installation procedure. Now Logstash seems to work - at least the file /tmp/cowrie-logstash.log is now created, although I can't make sense of its contents, so I'm not sure that it is correct.

However, the other log, /var/log/logstash/logstash-plain.log contains warnings like

[2017-02-12T11:40:02,721][WARN ][logstash.filters.json    ] Error parsing json {:source=>"message", :raw=>"Command found: /bin/busybox MIRAI", :exception=>#<LogStash::Json::ParserError: Unrecognized token 'Command': was expecting ('true', 'false' or 'null')
 at [Source: [B@652bd1de; line: 1, column: 9]>}

Isn't this some kind of problem in the format of Cowrie's JSON log?

[fe7ch]

OK, I manually changed the ownership of that directory to logstash. This probably needs to be covered in the installation procedure.

When everything is configured properly from the start, you don't need to do it.

Isn't this some kind of problem in the format of Cowrie's JSON log?

It's a known issue when json becomes corrupted due to many concurent attacker's sessions (#230).

[bontchev]

Managed to get Elasticsearch started on another physical machine (also 4 Gb RAM but a bit more free) by setting both kinds of memory to 1g in the config file. Well, it starts:

* Starting Elasticsearch Server [ OK ]

Doesn't mean that it works, alas. :-( After a while, I keep getting stuff like this in /var/log/logstash/logstash-plain.log:

[2017-02-16T22:31:11,482][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://localhost:9200/, :path=>"/"}
[2017-02-16T22:31:11,488][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>#<URI::HTTP:0x180a7bfc URL:http://localhost:9200/>, :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError, :error=>"Got response code '401' contacting Elasticsearch at URL 'http://localhost:9200/'"}

I guess that means that Elasticsearch has died in creative ways, probably because of insufficient memory.

How did you get this crap to work on a 4 Gb machine?! I tried the procedure in the documentation, I tried everything people were suggesting - and it simply won't work. :-(

Somebody on Twitter is advising me to use ELK in a docker image; I'll try that too, but my hopes aren't high...

[fe7ch]

If you post elasticsearch's logs I would have more clues what is going on.

How did you get this crap to work on a 4 Gb machine?!

I was following official ELK docs on setting up every component of the stack. Again, cowrie's documentation section on ELK includes basic steps and focused on presenting sample configs related to parsing cowrie's logs. It does not include steps required by ELK docs.
If you want to make it work with a good performance, you'll have to spend some time on tuning your machine settings and reading some articles related to it.

[Pinaute]

Hello
I have a similar issue.

I'd like to use Kibana to visualize the events in the Cowrie log and have been failing so far.

I use Cowrie and it works well.
Cowrie runs on a small computer and the ELK stack on my personal computer (not VM). I import manually the file JSON.
My installation procedure is similar to bontchev
I looked at the log files but personally I do not see any error.
I launch :

1. Elasticsearch : $ /opt/Elastic_stack/elasticsearch-5.2.1/bin/elasticsearch
2. Logstash : # /opt/Elastic_stack/logstash-5.2.1/bin/logstash -f /etc/logstash/conf.d/logstash-cowrie.conf
3. Kibana : # /opt/Elastic_stack/kibana-5.2.1-linux-x86_64/bin/kibana

I have the following message in Kibana : "Unable to fetch mapping. Do you have indices matching the pattern?"
I can not configure an index pattern, how to fix this problem ?

Below, the log files:
Log file path : /opt/Elastic_stack/elasticsearch-5.2.1/logs/elasticsearch.log

[2017-02-21T23:06:42,425][INFO ][o.e.n.Node               ] [] initializing ...
[2017-02-21T23:06:42,532][INFO ][o.e.e.NodeEnvironment    ] [r6lzf3v] using [1] data paths, mounts [[/ (/dev/sdb1)]], net usable_space [20.9gb], net total_space [38.3gb], spins? [no], types [ext4]
[2017-02-21T23:06:42,532][INFO ][o.e.e.NodeEnvironment    ] [r6lzf3v] heap size [1.9gb], compressed ordinary object pointers [true]
[2017-02-21T23:06:42,543][INFO ][o.e.n.Node               ] node name [r6lzf3v] derived from node ID [r6lzf3vWQOCPXlxJfcu8Uw]; set [node.name] to override
[2017-02-21T23:06:42,547][INFO ][o.e.n.Node               ] version[5.2.1], pid[11629], build[db0d481/2017-02-09T22:05:32.386Z], OS[Linux/4.4.39-desktop-1.mga5/amd64], JVM[Oracle Corporation/OpenJDK 64-Bit Server VM/1.8.0_121/25.121-b14]
[2017-02-21T23:06:43,827][INFO ][o.e.p.PluginsService     ] [r6lzf3v] loaded module [aggs-matrix-stats]
[2017-02-21T23:06:43,828][INFO ][o.e.p.PluginsService     ] [r6lzf3v] loaded module [ingest-common]
[2017-02-21T23:06:43,828][INFO ][o.e.p.PluginsService     ] [r6lzf3v] loaded module [lang-expression]
[2017-02-21T23:06:43,828][INFO ][o.e.p.PluginsService     ] [r6lzf3v] loaded module [lang-groovy]
[2017-02-21T23:06:43,828][INFO ][o.e.p.PluginsService     ] [r6lzf3v] loaded module [lang-mustache]
[2017-02-21T23:06:43,828][INFO ][o.e.p.PluginsService     ] [r6lzf3v] loaded module [lang-painless]
[2017-02-21T23:06:43,829][INFO ][o.e.p.PluginsService     ] [r6lzf3v] loaded module [percolator]
[2017-02-21T23:06:43,829][INFO ][o.e.p.PluginsService     ] [r6lzf3v] loaded module [reindex]
[2017-02-21T23:06:43,829][INFO ][o.e.p.PluginsService     ] [r6lzf3v] loaded module [transport-netty3]
[2017-02-21T23:06:43,829][INFO ][o.e.p.PluginsService     ] [r6lzf3v] loaded module [transport-netty4]
[2017-02-21T23:06:43,831][INFO ][o.e.p.PluginsService     ] [r6lzf3v] no plugins loaded
[2017-02-21T23:06:46,954][INFO ][o.e.n.Node               ] initialized
[2017-02-21T23:06:46,954][INFO ][o.e.n.Node               ] [r6lzf3v] starting ...
[2017-02-21T23:06:47,211][INFO ][o.e.t.TransportService   ] [r6lzf3v] publish_address {127.0.0.1:9300}, bound_addresses {[::1]:9300}, {127.0.0.1:9300}
[2017-02-21T23:06:47,222][WARN ][o.e.b.BootstrapChecks    ] [r6lzf3v] max file descriptors [4096] for elasticsearch process is too low, increase to at least [65536]
[2017-02-21T23:06:50,297][INFO ][o.e.c.s.ClusterService   ] [r6lzf3v] new_master {r6lzf3v}{r6lzf3vWQOCPXlxJfcu8Uw}{J560iCmxRmCF4Cv5Ifftkw}{127.0.0.1}{127.0.0.1:9300}, reason: zen-disco-elected-as-master ([0] nodes joined)
[2017-02-21T23:06:50,348][INFO ][o.e.h.HttpServer         ] [r6lzf3v] publish_address {127.0.0.1:9200}, bound_addresses {[::1]:9200}, {127.0.0.1:9200}
[2017-02-21T23:06:50,349][INFO ][o.e.n.Node               ] [r6lzf3v] started
[2017-02-21T23:06:50,538][INFO ][o.e.g.GatewayService     ] [r6lzf3v] recovered [1] indices into cluster_state
[2017-02-21T23:06:50,758][INFO ][o.e.c.r.a.AllocationService] [r6lzf3v] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.kibana][0]] ...]).

Log file path : /opt/Elastic_stack/logstash-5.2.1/logs/logstash-plain.log

[2017-02-21T23:07:31,062][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://localhost:9200/]}}
[2017-02-21T23:07:31,069][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://localhost:9200/, :path=>"/"}
[2017-02-21T23:07:31,287][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>#<URI::HTTP:0x61411f1c URL:http://localhost:9200/>}
[2017-02-21T23:07:31,289][INFO ][logstash.outputs.elasticsearch] Using mapping template from {:path=>nil}
[2017-02-21T23:07:31,358][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"template"=>"logstash-*", "version"=>50001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"_default_"=>{"_all"=>{"enabled"=>true, "norms"=>false}, "dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"*", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword"}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date", "include_in_all"=>false}, "@version"=>{"type"=>"keyword", "include_in_all"=>false}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}
[2017-02-21T23:07:31,374][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>[#<URI::Generic:0x7c54144f URL://localhost:9200>]}
[2017-02-21T23:07:31,377][INFO ][logstash.filters.geoip   ] Using geoip database {:path=>"/opt/Elastic_stack/logstash-5.2.1/vendor/geoip/GeoLite2-City.dat"}
[2017-02-21T23:07:31,401][INFO ][logstash.pipeline        ] Starting pipeline {"id"=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>500}
[2017-02-21T23:07:31,406][INFO ][logstash.pipeline        ] Pipeline main started
[2017-02-21T23:07:31,450][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}

Log file path : /var/log/kibana/kibana.log

{"type":"log","@timestamp":"2017-02-21T22:07:42Z","tags":["status","plugin:kibana@5.2.1","info"],"pid":11794,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-02-21T22:07:42Z","tags":["status","plugin:elasticsearch@5.2.1","info"],"pid":11794,"state":"yellow","message":"Status changed from uninitialized to yellow - Waiting for Elasticsearch","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-02-21T22:07:42Z","tags":["status","plugin:console@5.2.1","info"],"pid":11794,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-02-21T22:07:42Z","tags":["status","plugin:elasticsearch@5.2.1","info"],"pid":11794,"state":"green","message":"Status changed from yellow to green - Kibana index ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
{"type":"log","@timestamp":"2017-02-21T22:07:42Z","tags":["status","plugin:timelion@5.2.1","info"],"pid":11794,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-02-21T22:07:42Z","tags":["listening","info"],"pid":11794,"message":"Server running at http://localhost:5601"}
{"type":"log","@timestamp":"2017-02-21T22:07:42Z","tags":["status","ui settings","info"],"pid":11794,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}

[bontchev]

@fe7ch, sorry for the delay of my reply; I was way too busy with more pressing matters (like setting up an OpenVPN server on a Windows 10 box, sigh) for which I had a deadline.

If you post elasticsearch's logs I would have more clues what is going on.

There are no signs of a problem in the Elasticserach log (/var/log/elasticsearch/elasticsearch.log). It just complains about some commercial plug-in (no idea which one, probably X-Pack), the license of which is about to expire. Here is the full log after starting the service:

[2017-02-24T18:30:25,984][INFO ][o.e.n.Node               ] [] initializing ...
[2017-02-24T18:30:26,403][INFO ][o.e.e.NodeEnvironment    ] [yom8lkU] using [1] data paths, mounts [[/ (/dev/mapper/mint--vg-root)]], net usable_space [254.2gb], net total_space [288.7gb], spins? [possibly], types [ext4]
[2017-02-24T18:30:26,404][INFO ][o.e.e.NodeEnvironment    ] [yom8lkU] heap size [990.7mb], compressed ordinary object pointers [true]
[2017-02-24T18:30:26,476][INFO ][o.e.n.Node               ] node name [yom8lkU] derived from node ID [yom8lkUrR6-H_4KJM-EJqA]; set [node.name] to override
[2017-02-24T18:30:26,481][INFO ][o.e.n.Node               ] version[5.2.1], pid[12346], build[db0d481/2017-02-09T22:05:32.386Z], OS[Linux/4.4.0-64-generic/amd64], JVM[Oracle Corporation/Java HotSpot(TM) 64-Bit Server VM/1.8.0_121/25.121-b13]
[2017-02-24T18:30:29,980][INFO ][o.e.p.PluginsService     ] [yom8lkU] loaded module [aggs-matrix-stats]
[2017-02-24T18:30:29,980][INFO ][o.e.p.PluginsService     ] [yom8lkU] loaded module [ingest-common]
[2017-02-24T18:30:29,980][INFO ][o.e.p.PluginsService     ] [yom8lkU] loaded module [lang-expression]
[2017-02-24T18:30:29,980][INFO ][o.e.p.PluginsService     ] [yom8lkU] loaded module [lang-groovy]
[2017-02-24T18:30:29,980][INFO ][o.e.p.PluginsService     ] [yom8lkU] loaded module [lang-mustache]
[2017-02-24T18:30:29,980][INFO ][o.e.p.PluginsService     ] [yom8lkU] loaded module [lang-painless]
[2017-02-24T18:30:29,980][INFO ][o.e.p.PluginsService     ] [yom8lkU] loaded module [percolator]
[2017-02-24T18:30:29,980][INFO ][o.e.p.PluginsService     ] [yom8lkU] loaded module [reindex]
[2017-02-24T18:30:29,980][INFO ][o.e.p.PluginsService     ] [yom8lkU] loaded module [transport-netty3]
[2017-02-24T18:30:29,980][INFO ][o.e.p.PluginsService     ] [yom8lkU] loaded module [transport-netty4]
[2017-02-24T18:30:29,981][INFO ][o.e.p.PluginsService     ] [yom8lkU] loaded plugin [x-pack]
[2017-02-24T18:30:33,429][DEBUG][o.e.a.ActionModule       ] Using REST wrapper from plugin org.elasticsearch.xpack.XPackPlugin
[2017-02-24T18:30:35,359][INFO ][o.e.n.Node               ] initialized
[2017-02-24T18:30:35,359][INFO ][o.e.n.Node               ] [yom8lkU] starting ...
[2017-02-24T18:30:35,917][INFO ][o.e.t.TransportService   ] [yom8lkU] publish_address {127.0.0.1:9300}, bound_addresses {[::1]:9300}, {127.0.0.1:9300}
[2017-02-24T18:30:39,051][INFO ][o.e.c.s.ClusterService   ] [yom8lkU] new_master {yom8lkU}{yom8lkUrR6-H_4KJM-EJqA}{3Xla75DYTAWuH4HDC42ksQ}{127.0.0.1}{127.0.0.1:9300}, reason: zen-disco-elected-as-master ([0] nodes joined)
[2017-02-24T18:30:39,105][INFO ][o.e.h.HttpServer         ] [yom8lkU] publish_address {127.0.0.1:9200}, bound_addresses {[::1]:9200}, {127.0.0.1:9200}
[2017-02-24T18:30:39,105][INFO ][o.e.n.Node               ] [yom8lkU] started
[2017-02-24T18:30:40,455][INFO ][o.e.l.LicenseService     ] [yom8lkU] license [c002c1ee-48fa-4423-af1b-8730e2d12971] mode [trial] - valid
[2017-02-24T18:30:40,458][WARN ][o.e.l.LicenseService     ] [yom8lkU] 
#
# License [will expire] on [Saturday, March 18, 2017]. If you have a new license, please update it.
# Otherwise, please reach out to your support contact.
# 
# Commercial plugins operate with reduced functionality on license expiration:
# - security
#  - Cluster health, cluster stats and indices stats operations are blocked
#  - All data operations (read and write) continue to work
# - watcher
#  - PUT / GET watch APIs are disabled, DELETE watch API continues to work
#  - Watches execute and write to the history
#  - The actions of the watches don't execute
# - monitoring
#  - The agent will stop collecting cluster and indices metrics
#  - The agent will stop automatically cleaning indices older than [xpack.monitoring.history.duration]
# - graph
#  - Graph explore APIs are disabled
[2017-02-24T18:30:40,459][WARN ][o.e.l.LicenseService     ] [yom8lkU] 
#
# License [will expire] on [Saturday, March 18, 2017]. If you have a new license, please update it.
# Otherwise, please reach out to your support contact.
# 
# Commercial plugins operate with reduced functionality on license expiration:
# - security
#  - Cluster health, cluster stats and indices stats operations are blocked
#  - All data operations (read and write) continue to work
# - watcher
#  - PUT / GET watch APIs are disabled, DELETE watch API continues to work
#  - Watches execute and write to the history
#  - The actions of the watches don't execute
# - monitoring
#  - The agent will stop collecting cluster and indices metrics
#  - The agent will stop automatically cleaning indices older than [xpack.monitoring.history.duration]
# - graph
#  - Graph explore APIs are disabled
[2017-02-24T18:30:40,468][INFO ][o.e.g.GatewayService     ] [yom8lkU] recovered [5] indices into cluster_state
[2017-02-24T18:30:44,623][INFO ][o.e.c.r.a.AllocationService] [yom8lkU] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.kibana][0]] ...]).
[2017-02-24T18:30:45,724][INFO ][o.e.c.m.MetaDataCreateIndexService] [yom8lkU] [.monitoring-es-2-2017.02.24] creating index, cause [auto(bulk api)], templates [.monitoring-es-2], shards [1]/[1], mappings [shards, node, _default_, index_stats, index_recovery, cluster_state, cluster_stats, node_stats, indices_stats]
[2017-02-24T18:30:46,266][INFO ][o.e.c.m.MetaDataMappingService] [yom8lkU] [.monitoring-es-2-2017.02.24/g2F6emYuQV2uwq-s4171gQ] update_mapping [indices_stats]
[2017-02-24T18:30:46,464][INFO ][o.e.c.m.MetaDataMappingService] [yom8lkU] [.monitoring-es-2-2017.02.24/g2F6emYuQV2uwq-s4171gQ] update_mapping [index_stats]
[2017-02-24T18:30:46,643][INFO ][o.e.c.m.MetaDataMappingService] [yom8lkU] [.monitoring-es-2-2017.02.24/g2F6emYuQV2uwq-s4171gQ] update_mapping [cluster_stats]
[2017-02-24T18:30:46,787][INFO ][o.e.c.m.MetaDataMappingService] [yom8lkU] [.monitoring-es-2-2017.02.24/g2F6emYuQV2uwq-s4171gQ] update_mapping [node_stats]
[2017-02-24T18:31:34,983][INFO ][o.e.c.m.MetaDataCreateIndexService] [yom8lkU] [.monitoring-kibana-2-2017.02.24] creating index, cause [auto(bulk api)], templates [.monitoring-kibana-2], shards [1]/[1], mappings [_default_, kibana_stats]

The Kibana log (/var/log/kibana/kibana.log) also looks fine to me:

{"type":"log","@timestamp":"2017-02-24T16:31:23Z","tags":["status","plugin:kibana@5.2.1","info"],"pid":12444,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-02-24T16:31:23Z","tags":["status","plugin:elasticsearch@5.2.1","info"],"pid":12444,"state":"yellow","message":"Status changed from uninitialized to yellow - Waiting for Elasticsearch","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-02-24T16:31:23Z","tags":["status","plugin:xpack_main@5.2.1","info"],"pid":12444,"state":"yellow","message":"Status changed from uninitialized to yellow - Waiting for Elasticsearch","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-02-24T16:31:23Z","tags":["status","plugin:graph@5.2.1","info"],"pid":12444,"state":"yellow","message":"Status changed from uninitialized to yellow - Waiting for Elasticsearch","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-02-24T16:31:23Z","tags":["status","plugin:monitoring@5.2.1","info"],"pid":12444,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-02-24T16:31:23Z","tags":["reporting","warning"],"pid":12444,"message":"Generating a random key for xpack.reporting.encryptionKey. To prevent pending reports from failing on restart, please set xpack.reporting.encryptionKey in kibana.yml"}
{"type":"log","@timestamp":"2017-02-24T16:31:23Z","tags":["status","plugin:reporting@5.2.1","info"],"pid":12444,"state":"yellow","message":"Status changed from uninitialized to yellow - Waiting for Elasticsearch","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-02-24T16:31:23Z","tags":["status","plugin:security@5.2.1","info"],"pid":12444,"state":"yellow","message":"Status changed from uninitialized to yellow - Waiting for Elasticsearch","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-02-24T16:31:23Z","tags":["security","warning"],"pid":12444,"message":"Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.security.encryptionKey in kibana.yml"}
{"type":"log","@timestamp":"2017-02-24T16:31:23Z","tags":["security","warning"],"pid":12444,"message":"Session cookies will be transmitted over insecure connections. This is not recommended."}
{"type":"log","@timestamp":"2017-02-24T16:31:23Z","tags":["status","plugin:searchprofiler@5.2.1","info"],"pid":12444,"state":"yellow","message":"Status changed from uninitialized to yellow - Waiting for Elasticsearch","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-02-24T16:31:23Z","tags":["status","plugin:tilemap@5.2.1","info"],"pid":12444,"state":"yellow","message":"Status changed from uninitialized to yellow - Waiting for Elasticsearch","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-02-24T16:31:23Z","tags":["status","plugin:console@5.2.1","info"],"pid":12444,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-02-24T16:31:24Z","tags":["status","plugin:elasticsearch@5.2.1","info"],"pid":12444,"state":"green","message":"Status changed from yellow to green - Kibana index ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
{"type":"log","@timestamp":"2017-02-24T16:31:24Z","tags":["status","plugin:timelion@5.2.1","info"],"pid":12444,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-02-24T16:31:24Z","tags":["listening","info"],"pid":12444,"message":"Server running at http://localhost:5601"}
{"type":"log","@timestamp":"2017-02-24T16:31:24Z","tags":["status","ui settings","info"],"pid":12444,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-02-24T16:31:24Z","tags":["license","info","xpack"],"pid":12444,"message":"Imported license information from Elasticsearch: mode: trial | status: active | expiry date: 2017-03-18T22:02:35+02:00"}
{"type":"log","@timestamp":"2017-02-24T16:31:24Z","tags":["status","plugin:monitoring@5.2.1","info"],"pid":12444,"state":"yellow","message":"Status changed from green to yellow - Waiting for Monitoring Health Check","prevState":"green","prevMsg":"Ready"}
{"type":"log","@timestamp":"2017-02-24T16:31:24Z","tags":["status","plugin:xpack_main@5.2.1","info"],"pid":12444,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
{"type":"log","@timestamp":"2017-02-24T16:31:24Z","tags":["status","plugin:graph@5.2.1","info"],"pid":12444,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
{"type":"log","@timestamp":"2017-02-24T16:31:24Z","tags":["status","plugin:reporting@5.2.1","info"],"pid":12444,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
{"type":"log","@timestamp":"2017-02-24T16:31:24Z","tags":["status","plugin:security@5.2.1","info"],"pid":12444,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
{"type":"log","@timestamp":"2017-02-24T16:31:24Z","tags":["status","plugin:searchprofiler@5.2.1","info"],"pid":12444,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
{"type":"log","@timestamp":"2017-02-24T16:31:24Z","tags":["status","plugin:tilemap@5.2.1","info"],"pid":12444,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
{"type":"log","@timestamp":"2017-02-24T16:31:25Z","tags":["status","plugin:monitoring@5.2.1","info"],"pid":12444,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Monitoring Health Check"}

It's just the Logstash log (/var/log/logstash/logstash-plain.log) that is full of 8 Mb crap like this, repeated ad naseum:

[2017-02-24T18:37:23,077][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://localhost:9200/, :path=>"/"}
[2017-02-24T18:37:23,079][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>#<URI::HTTP:0x2773f35c URL:http://localhost:9200/>, :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError, :error=>"Got response code '401' contacting Elasticsearch at URL 'http://localhost:9200/'"}

If you want to make it work with a good performance, you'll have to spend some time on tuning your machine settings and reading some articles related to it.

Have you considered making a Docker container with the necessary setup, so that anyone could run it? Just expose Cowrie's dl and log directories to the outside file system.

[bontchev]

I meant name of the folder where you put your old logs.

That isn't present anywhere in the Logstash logs, either.

But if you look into cowrie.cfg.dist file, you'll find it.

Nope, it isn't there. And, despite setting this setting to false yesterday and restarting Cowrie, I still have 10 Mb of JSON parsing errors in my Logstash log for today. Well, at least it's not the usual 250 Mb - but the day is just beginning...

But, if the setting isn't present in the original config file, it probably means that my copy of Cowrie isn't implementing it. Time for a git pull, I guess...

Nope, that didn't work. :-(

error: Your local changes to the following files would be overwritten by merge:
        cowrie/commands/busybox.py

This is odd... I just compared my copy of this file to the copy on GitHub and they are exactly the same! Furthermore, what is not the same is my copy of start.sh - I have AUTHBIND_ENABLED=yes there and my umask is 0022 - and I wouldn't want these overwritten.

[fe7ch]

Nope, it isn't there.
But, if the setting isn't present in the original config file, it probably means that my copy of Cowrie isn't implementing it. Time for a git pull, I guess...

Your cowrie is outdated!

I wouldn't want these overwritten.

git commit -a "my commits"
Then pull with rebase: git pull --rebase. It will automatically apply your commits on the top of pulled changes. Sometimes you'll need to fix conflicts, but it's not hard and it doesn't happen often.

[bontchev]

git commit -a "my commits"

That didn't work:

fatal: Paths with -a does not make sense.

Just git commit -a didn't work, either:

*** Please tell me who you are.

Run

  git config --global user.email "you@example.com"
  git config --global user.name "Your Name"

to set your account's default identity.
Omit --global to set the identity only in this repository.

fatal: unable to auto-detect email address (got 'cowrie@bontchev-notebook.(none)')

And I am really afraid to screw up with a setup that currently mostly works and which I spent considerable time getting it to work...

Why is git pull complaining about a file (cowrie/commands/busybox.py) that's not different locally from the one on GitHub? Why didn't it mention a file that is different (start.sh)? I don't have much experience with git; I've worked with VSS and CVS before and they were much easier to understand...

I don't want it to "add" to the repository the hundreds of new local files (logs, downloads, etc.) that I currently have in my Cowrie setup. Isn't there a way to just get the latest versions of the files from GitHub? I had the impression that git pull does that...

[fe7ch]

That didn't work:

Yep, it supposed to be git commit -a -m "my commit"

First of all, you should run commands that git asked you (git config). In the case with cowrie, you should set it to credentials you are using at github.

Why is git pull complaining about a file (cowrie/commands/busybox.py) that's not different locally from the one on GitHub?

Because you can't do pull if you have changes that aren't commited. Git doesn't know about files at remote repositories at the time when this check is performed.

So if you have changes and you want to pull from remote repo you have two options (simplified):

• reset changes (git reset --hard)
• commit changes (git commit -a)

After you do one of the above commands, you'll be able to pull.

[bontchev]

Because you can't do pull if you have changes that aren't commited.

I understand this but I was expecting it to complain about file(s) that are actually different from their copies in the remote repository (i.e., that have changes).

OK, never mind. I did all this and restarted Cowrie. However, as far as I can see, Logstash keeps logging about JSON parsing errors in its log. :-(

[fe7ch]

However, as far as I can see, Logstash keeps logging about JSON parsing errors in its log. :-(

Well, it's possible, because turning off cowrie's direct-tpcip log entries doesn't solve the problem, but reduces frequency of error appearence.

[bontchev]

I don't think that, even before I did this, the errors had anything to do with SSH. They seemed to be from Telnet sessions.

I also don't understand where the errors are. The log seems perfectly valid JSON to me. I read somewhere that sometimes the session commands can overwrite the JSON lines in the log, but I did a quick check and all the lines in the log start with '{' and end with '}'. I also wrote a quick Python script that does essentially print(json.dumps(json.loads)) and it doesn't complain about any errors. (A pity I can't compare the output of it with the input to check if they are the same - the output contains the various keys in a different order. I could use sort_keys, but there is no point, because they aren't sorted in Cowrie's log.

[fe7ch]

I also don't understand where the errors are.

Well, you could pick a json from error message of logstash and look it up in cowrie's logs. Then investigate what is wrong with the particular json record.

[bontchev]

I am not quite sure how to connect the warning in the Logstash log with the line causing it in Cowrie's log... I tried grepping for partial information and I think here is one example:

Logstash log:

[2017-03-05T15:44:33,828][WARN ][logstash.filters.json    ] Error parsing json {:source=>"message", :raw=>"New connection: 93.118.253.195:1699 (192.168.0.103:23) [session: TT700]", :exception=>#<LogStash::Json::ParserError: Unrecognized token 'New': was expecting 'null', 'true', 'false' or NaN
 at [Source: [B@2c949da1; line: 1, column: 5]>}

Line in Cowrie's log that I think it is referring to:

{"eventid": "cowrie.session.connect", "timestamp": "2017-03-05T13:44:33.223289Z", "session": "b60dc56d", "message": "New connection: 93.118.253.195:1699 (192.168.0.103:23) [session: TT700]", "src_port": 1699, "system": "cowrie.telnet.transport.HoneyPotTelnetFactory", "isError": 0, "src_ip": "93.118.253.195", "dst_port": 23, "dst_ip": "192.168.0.103", "sensor": "bontchev-notebook"}

I don't see anything wrong with the JSON format on that line...

[micheloosterhof]

The SSH and telnet honeypots run as multiple independent "factories" inside Twisted. I think maybe they don't do resource sharing very well and try to write to the JSON file at the same time. Try disabling telnet and see if you still get the issue.

…

On Sun, Mar 5, 2017 at 17:54 Vesselin Bontchev ***@***.***> wrote: I am not quite sure how to connect the warning in the Logstash log with the line causing it in Cowrie's log... I tried grepping for partial information and I think here is one example: Logstash log: [2017-03-05T15:44:33,828][WARN ][logstash.filters.json ] Error parsing json {:source=>"message", :raw=>"New connection: 93.118.253.195:1699 (192.168.0.103:23) [session: TT700]", :exception=>#<LogStash::Json::ParserError: Unrecognized token 'New': was expecting 'null', 'true', 'false' or NaN at [Source: ***@***.***; line: 1, column: 5]>} Line in Cowrie's log that I *think* it is referring to: {"eventid": "cowrie.session.connect", "timestamp": "2017-03-05T13:44:33.223289Z", "session": "b60dc56d", "message": "New connection: 93.118.253.195:1699 (192.168.0.103:23) [session: TT700]", "src_port": 1699, "system": "cowrie.telnet.transport.HoneyPotTelnetFactory", "isError": 0, "src_ip": "93.118.253.195", "dst_port": 23, "dst_ip": "192.168.0.103", "sensor": "bontchev-notebook"} I don't see anything wrong with the JSON format on that line... — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#450 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABA4g1hZsYVO9cp0ZKlCHI_5A-GyehYKks5rir5_gaJpZM4L6ol4> .

[micheloosterhof]

This has become quite the ticket :) Thank you @fe7ch for the effort.

[bontchev]

@micheloosterhof, I tried disabling alternatively the SSH or the Telnet honeypot but the warnings kept appearing in the log.

[micheloosterhof]

Okay. that clears that up. It's going wrong somewhere else then!

[fe7ch]

@micheloosterhof The reason is in #230, isn't it?

[bontchev]

@fe7ch, I don't think so. Look at my example above - the JSON is perfectly valid, not overwritten by another line like in issue #230. But, yes, that issue is what I vaguely remembered having read, thanks for the pointer.

Another question about the ELK integration: for Kibana to work properly, do I need to keep the cowrie.json* files - or can I archive them (e.g., in order to save space)? Does Elasticsearch actually create a database with the information from these files - or does it just create indices to these files and the files have to be present for Kibana to fetch the actual data from them?

[fe7ch]

do I need to keep the cowrie.json* files - or can I archive them (e.g., in order to save space)?

If logstash finished working with a file, you can safely rename/remove/archive/etc this file.

Does Elasticsearch actually create a database with the information from these files

Yes, it does.

[bontchev]

OK, I finally got the map background to display. I'll describe the solution here because it isn't too obvious and it took me quite some time to figure it out.

To summarize, when adding a "tile map" visualization, the dots of various sizes (corresponding to e.g., the number of logins from that geoip coordinate) were present but on a blank background (i.e. the geographical map of the world was missing) and the following error occurred:

Tilemap: Could not retrieve manifest from the tile service: status -1

The way to fix it turned out to be this: edit the file /etc/kibana/kibana.yml (need root privileges for that). It must have a tilemap.url setting, specifying the map provider. By default it doesn't have such a setting at all - not even a commented out one! So, add the following line to the file:

tilemap.url: https://tiles.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana

This is the map service provided by Elasticsearch. Restart the Kibana service and the map should work now.

OK, I think I pretty much managed to get working everything I wanted to get working with Cowrie and ELK. Unless somebody else still has anything to add to this subject, I'll close the issue tomorrow.

[bontchev]

Sorry for not closing the issue yet but I was asked to move the honeypot to a different machine and wanted to see how it went. Here are some remarks on the ELK integration; most of the problems seem to be in ELK; not in Cowrie.

1. The documentation about how to integrate Cowrie with ELK needs to be improved a bit - several of the commands listed there need a sudo because they must be executed as root. It's pretty obvious which ones. Will somebody fix it - or should I submit a pull request?
2. The Elasticsearch component of ELK sets up the /etc/elasticsearch directory as readable and searchable only by root. Not sure if this is an oversight or if it is needed for security reasons. This means that you can't edit the configuration files there even with a sudo-prefixed command, because you can't find the files. You must either log in as root (e.g., sudo su) or you must change the permissions of this directory.
3. The "export" ability of the Kibana dashboard is total shit and doesn't work when the exported file is imported on a different machine. All the visualizations were corrupted and not showing anything. Only the dashboard was the same (meaning the visualization applets were at the right places and with the right size). Some visualizations were lost completely - they did not appear on the list of saved visualizations at all. I ended up scrapping everything and re-creating it from scratch, which was rather annoying.
4. For some reason, my old logs (cowrie.json.<date>, which I copied from the old machine) are not processed. Only the current log (cowrie.json) is processed. At first, I thought that Logstash just needs some time to index the old logs - but several hours later there isn't any data from even a single log. Maybe it doesn't like the date format for some reason? Or maybe I have to wait 24 hours until the current log is renamed for Logstash to see other, similarly named logs?

[fe7ch]

Yep, only the first point has something to do with cowrie, everything else is not related to cowrie in any way.

1. Feel free to submit a pull request
2. It's done for security reasons. Configuration files could be accessed with sudo by specifying a full path (if you don't know which files to open, you can always invoke sudo ls /etc/elasticsearch and see which files are there). In fact, users from the elasticsearch group have read/write access to this folder too:

drwxr-x---   4 root elasticsearch 4096 Mar 28 09:56 .
drwxr-xr-x 101 root root          4096 Mar 22 04:58 ..
-rw-rw----   1 root elasticsearch 2888 Feb 20 08:11 elasticsearch.yml
-rw-rw----   1 root elasticsearch 2892 Jan 27 13:30 jvm.options
-rw-rw----   1 root elasticsearch 3992 Jan 11 23:21 log4j2.properties
drwxr-x---   2 root elasticsearch 4096 Jan 11 23:21 scripts
drwxr-x---   2 root elasticsearch 4096 Feb  2 13:17 x-pack

3. I haven't used this feature for a long time already, so I have no idea what went wrong. You may submit an issue to kibana project on Github.
4. Something is wrong there. Are you sure you specified a correct file mask in logstash's config?

[bontchev]

Feel free to submit a pull request

I'm sorry, but I can't figure out what to do. I've cloned the repository and have changed the appropriate README.mk file locally. But I can't sync it with GitHub because (of course) I don't have modification rights. Do I need to create a branch or something? Sorry if it's a stupid question but my experience with source code control systems has been mostly with VSS and CVS, so git is horribly confusing.

Are you sure you specified a correct file mask in logstash's config?

Mask? I don't use a mask. I use just a file name:

path => ["/home/cowrie/cowrie/log/cowrie.json"]

just like on my previous machine. On my previous machine Logstash was smart enough to find the other logs (with the dates appended to their name).

[fe7ch]

I'm sorry, but I can't figure out what to do.

1. Fork the project.
2. Clone your fork.
3. Make a branch with a fix
4. Push your branch to your fork at github
5. Navigate to your fork at github, you'll see a button that offers you to fill a pull request

On my previous machine Logstash was smart enough to find the other logs (with the dates appended to their name).

It couldn't. If you specify exact name, it will monitor only the specified file.
In your case, you should specify a mask path => ["/home/cowrie/cowrie/log/cowrie.json*"]. With this mask logstash will monitor all cowrie's json logs. Logstash will detect a moment when cowrie.json being renamed to cowrie.json_YYYY.MM.DD and won't proceed the same file twice.

[bontchev]

Navigate to your fork at github, you'll see a button that offers you to fill a pull request

I did this, but it creates a pull request only for my fork, not for the main project. I have approved the request, but it seems rather pointless to me - I certainly can modify my own copy of the project, what's the point of making pull requests to it for myself? Gosh, this is so confusing. I give up. Here is my modified copy of the file, do with it whatever you want:

https://github.com/bontchev/cowrie/blob/master/doc/elk/README.md

It couldn't. If you specify exact name, it will monitor only the specified file.

Well, on my previous machine it did. I put my old logs in a separate directory and added the path to the cowrie.json file in that directory (no mask) and everything was processed just fine; only needed some time before everything was indexed. Whatever. I've added a mask now, let's see how it goes.

[bontchev]

I've added a mask now, let's see how it goes.

It doesn't work. :-( I added a mask and restarted the logstash service. Several hours later, not a single old log has been indexed. Only the logs created since the initial installation (that is, yesterday's and today's) have been processed. The file name format seems fine, the data is in the same format as the one appended to yesterday's log name. Any ideas?

[bontchev]

It just doesn't work. I tried everything I could find:

• I tried with a file mask and without it.

• I tried setting the option

ignore_older => 0

• I tried setting the option

start_position => "beginning"

• I tried deleting the files /var/lib/logstash/plugins/inputs/file/.sincedb_*

and any combination of the above, restarting the logstash service every time. It just doesn't work. The old log files are not processed.

The only thing that seems to work is to uncomment the section

tcp {
    port => 3333
    type => "cowrie"
}

in /etc/logstash/conf.d/logstash-cowrie.conf and then feeding each old log file manually via

nc localhost 3333 < logfile

God, this sucks!

[fe7ch]

You are definitely doing something wrong. Especially, counting that it was working with your setup some time ago.

Where are your current logs are stored?
Where are your old logs are located?
What is your logstash config?

[bontchev]

Especially, counting that it was working with your setup some time ago.

There is one substantial difference from that previous setup, but I'm not sure how and if it matters. With the previous setup, I started empty and then added a new directory with some old logs. (Which, incidentally, weren't processed immediately. I thought that maybe Logstash just needed some time, like 24 hours, to process them, but it could have been something else that I have done to force it to process them. Also, they were relatively few.)

With the current setup, I put all the old log files in /home/cowrie/cowrie/log before starting Cowrie+ELK, hoping that Logstash would process them.

Where are your current logs are stored?

In /home/cowrie/cowrie/log - the default place.

Where are your old logs are located?

In the same place.

What is your logstash config?

This (comments removed for brevity):

input {
       file {
              path => ["/home/cowrie/cowrie/log/cowrie.json"]
              codec => json
              type => "cowrie"
       }
       tcp {
              port => 3333
              type => "cowrie"
       }
}

filter {
    if [type] == "cowrie" {
        json {
            source => message
        }
        date {
            match => [ "timestamp", "ISO8601" ]
        }
        if [src_ip]  {
            dns {
                reverse => [ "src_host", "src_ip" ]
                action => "append"
            }
            geoip {
                source => "src_ip"
                target => "geoip"
                database => "/var/opt/logstash/vendor/geoip/GeoLite2-City.mmdb"
            }
        }
    }
}

output {
    if [type] == "cowrie" {
        elasticsearch {
            hosts => ["localhost:9200"]
        }
    }
}

Anyway, I don't think we can resolve this mystery - I ended up feeding the old logs manually via netcat, as explained above, so they are already in the database.

Another Kibana-related question. Currently I access the dashboard by doing SSH to the machine on which it is running, tunneling port 5601, and pointing my browser to localhost:5601. This works just fine for me, but is not suitable if I want to show it to others.

How can I make the dashboard publicly visible? I'd like to have it in read-only mode (so the person viewing it can't screw it up or at least can't save the screwed-up version). I don't really need user/password authentication for that.

From what I've seen by googling around, it is done by using the nginx web server as a proxy to the Kibana service or something like that. (The other option seems to be the X-Pack plug-in, but that's a commercial solution, apparently.) Unfortunately, I have absolutely on experience administering nginx and most of the texts I found seem to assume that the reader knows nginx and/or refer to very old versions of Kibana (e.g., ones keeping its configuration in a file named config.js).

Could you please point me to some guide about how to set up public access to the dashboard that is written for people with no experience with nginx?

[micheloosterhof]

With all these questions about ELK (which none of us is an expert in), you may be better of asking for help in Elastic dedicated places...

[fe7ch]

nginx couldn't guarantee that a visitor wouldn't change anything. As long as visitor has access to kibana, he could do anything there.

The only solution for implementing permessions for accessing ELK I'm aware of is X-Pack (30-days trial, later it must be licensed based on the size of your cluster). I think more suitable way there will be giving access to ppl who won't try to destroy your data + configuring backups of your ES data (https://www.elastic.co/guide/en/elasticsearch/guide/current/backing-up-your-cluster.html)

All questions regarding basic setup of cowrie + ELK are answered. I agree with @micheloosterhof, that questions regarding advaced usage of ELK must be asked at more suitable place (https://discuss.elastic.co).

[lhcunha]

@bontchev The error 2017-02-16T22:31:11,488][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>#<URI::HTTP:0x180a7bfc URL:http://localhost:9200/>, :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError, :error=>"Got response code '401' contacting Elasticsearch at URL 'http://localhost:9200/'"}
Is related to authentication issues. Try providing authentication info on the logstash configuration file, such as user and password.