How to send Cowrie output to Graylog

This guide describes how to configure send cowrie outputs to graylog via syslog and http gelf input.

Prerequisites

  • Working Cowrie installation

  • Working Graylog installation

Cowrie Configuration

Using Syslog

Open the Cowrie configuration file and uncomment these 3 lines:

[output_localsyslog]
facility * USER
format * text

Restart Cowrie

Using GELF HTTP Input

Open the Cowrie configuration file and find this block

[output_graylog]
enabled * false
url * http://127.0.0.1:12201/gelf

Enable this block and specify url of your input.

Restart Cowrie

Graylog Configuration

Syslog Input

Open the Graylog web interface and click on the System drop-down in the top menu. From the drop-down menu select Inputs. Select Syslog UDP from the drop-down menu and click the Launch new input button. In the modal dialog enter the following information:

**Title:** Cowrie
**Port:** 8514
**Bind address:** 127.0.0.1

Then click Launch.

GELF HTTP Input

Open the Graylog web interface and click on the System drop-down in the top menu. From the drop-down menu select Inputs. Select GELF HTTP from the drop-down menu and click the Launch new input button. In the modal dialog enter the information about your input.

Click Manage Extractors near created input. On new page click Actions -> Import extractors and paste this config

{
  "extractors": [
    {
      "title": "Cowrie Json Parser",
      "extractor_type": "json",
      "converters": [],
      "order": 0,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "",
      "extractor_config": {
        "list_separator": ", ",
        "kv_separator": "*",
        "key_prefix": "",
        "key_separator": "_",
        "replace_key_whitespace": false,
        "key_whitespace_replacement": "_"
      },
      "condition_type": "none",
      "condition_value": ""
    }
  ],
  "version": "4.2.1"
}

Then click Launch.

Note:

  • Do not remove /gelf from the end of URL block, expect of case when your proxing this address behind nginx;

Syslog Configuration (For Syslog Output only)

Create a rsyslog configuration file in /etc/rsyslog.d:

$ sudo nano /etc/rsyslog.d/85-graylog.conf

Add the following lines to the file:

$template GRAYLOGRFC5424,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msg%\n"
*.* @127.0.0.1:8514;GRAYLOGRFC5424

Restart rsyslog:

$ sudo service rsyslog restart