mirror of
https://github.com/telekom-security/tpotce.git
synced 2025-04-19 13:42:26 +00:00
Page:
Reconfigure logstash.conf
No results
5
Reconfigure logstash.conf
Marco Ochse edited this page 2024-04-23 15:35:35 +02:00
Table of Contents
Reconfigure logstash.conf to transmit data to other destination.
1. Extract logstash.conf from running container:
docker exec -it logstash bash
cd /etc/logstash/
cp logstash.conf /data/elk/logstash.conf
exit
2. Stop T-Pot service
systemctl stop tpot
3. Adjust logstash.conf to your needs:
vi $HOME/tpotce/data/elk/logstash.conf
[...]
# Output section
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
# document_type => "doc"
}
if [type] == "Suricata" {
file {
file_mode => 0760
path => "/data/suricata/log/suricata_ews.log"
}
}
# Debug output
#if [type] == "XYZ" {
# stdout {
# codec => rubydebug
# }
#}
# Debug output
#stdout {
# codec => rubydebug
#}
}
[...]
4. Set correct permissions:
chmod 760 $HOME/tpotce/data/elk/logstash.conf
chown tpot:tpot $HOME/tpotce/data/elk/logstash.conf
5. Adjust docker-compose.yml by adding docker volume for logstash.conf:
vi $HOME/tpotce/docker-compose.yml
[...]
## Logstash service
logstash:
container_name: logstash
restart: always
depends_on:
elasticsearch:
condition: service_healthy
environment:
- LS_JAVA_OPTS=-Xms1024m -Xmx1024m
- TPOT_TYPE=${TPOT_TYPE:-HIVE}
- TPOT_HIVE_USER=${TPOT_HIVE_USER}
- TPOT_HIVE_IP=${TPOT_HIVE_IP}
ports:
- "127.0.0.1:64305:64305"
mem_limit: 2g
image: ${TPOT_REPO}/logstash:${TPOT_VERSION}
pull_policy: ${TPOT_PULL_POLICY}
volumes:
- ${TPOT_DATA_PATH}:/data
- ${TPOT_DATA_PATH}/elk/logstash.conf:/etc/logstash/logstash.conf
[...]
6. Start T-Pot service
systemctl start tpot