How to process Cowrie output into Graylog¶
Prerequisites¶
- Working Cowrie installation
- Working Graylog installation
Cowrie Configuration¶
Open the Cowrie configuration file and uncomment these 3 lines:
[output_localsyslog]
facility = USER
format = text
Restart Cowrie
Graylog Configuration¶
Open the Graylog web interface and click on the System drop-down in the top menu. From the drop-down menu select Inputs. Select Syslog UDP from the drop-down menu and click the Launch new input button. In the modal dialog enter the following information:
**Title:** Cowrie
**Port:** 8514
**Bind address:** 127.0.0.1
Then click Launch.
Syslog Configuration¶
Create a rsyslog configuration file in /etc/rsyslog.d:
$ sudo nano /etc/rsyslog.d/85-graylog.conf
Add the following lines to the file:
$template GRAYLOGRFC5424,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msg%\n"
*.* @127.0.0.1:8514;GRAYLOGRFC5424
Save and quit.
Restart rsyslog:
$ sudo service rsyslog restart