How to send Cowrie output to Graylog
This guide describes how to configure send cowrie outputs to graylog via syslog and http gelf input.
Prerequisites
Working Cowrie installation
Working Graylog installation
Cowrie Configuration
Using Syslog
Open the Cowrie configuration file and uncomment these 3 lines:
[output_localsyslog]
facility * USER
format * text
Restart Cowrie
Using GELF HTTP Input
Open the Cowrie configuration file and find this block
[output_graylog]
enabled * false
url * http://127.0.0.1:12201/gelf
Enable this block and specify url of your input.
Restart Cowrie
Graylog Configuration
Syslog Input
Open the Graylog web interface and click on the System drop-down in the top menu. From the drop-down menu select Inputs. Select Syslog UDP from the drop-down menu and click the Launch new input button. In the modal dialog enter the following information:
**Title:** Cowrie
**Port:** 8514
**Bind address:** 127.0.0.1
Then click Launch.
GELF HTTP Input
Open the Graylog web interface and click on the System drop-down in the top menu. From the drop-down menu select Inputs. Select GELF HTTP from the drop-down menu and click the Launch new input button. In the modal dialog enter the information about your input.
Click Manage Extractors near created input. On new page click Actions -> Import extractors and paste this config
{
"extractors": [
{
"title": "Cowrie Json Parser",
"extractor_type": "json",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"list_separator": ", ",
"kv_separator": "*",
"key_prefix": "",
"key_separator": "_",
"replace_key_whitespace": false,
"key_whitespace_replacement": "_"
},
"condition_type": "none",
"condition_value": ""
}
],
"version": "4.2.1"
}
Then click Launch.
Note:
Do not remove /gelf from the end of URL block, expect of case when your proxing this address behind nginx;
Syslog Configuration (For Syslog Output only)
Create a rsyslog configuration file in /etc/rsyslog.d:
$ sudo nano /etc/rsyslog.d/85-graylog.conf
Add the following lines to the file:
$template GRAYLOGRFC5424,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msg%\n"
*.* @127.0.0.1:8514;GRAYLOGRFC5424
Restart rsyslog:
$ sudo service rsyslog restart