Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-04-19 21:52:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Created Reconfigure logstash.conf (markdown)

Marco Ochse 2019-03-06 11:47:58 +01:00
parent 8b9d3ad87d
commit d1ed2d60d3
1 changed files with 79 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

79
Reconfigure-logstash.conf.md Normal file

@ -0,0 +1,79 @@
# Reconfigure `logstash.conf` to transmit data to other destination.
### 1. Extract `logstash.conf` from running container:
```
docker exec -it logstash ash
cd /etc/logstash/conf.d/
cp logstash.conf /data/elk/logstash.conf
exit
```
### 2. Stop T-Pot service
```
systemctl stop tpot
```
### 3. Adjust `logstash.conf` to your needs:
```
vi /data/elk/logstash.conf
[...]
# Output section
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
# document_type => "doc"
}
if [type] == "Suricata" {
file {
file_mode => 0760
path => "/data/suricata/log/suricata_ews.log"
}
}
# Debug output
#if [type] == "XYZ" {
# stdout {
# codec => rubydebug
# }
#}
# Debug output
#stdout {
# codec => rubydebug
#}
}
[...]
```
### 4. Set correct permissions:
```
chmod 760 /data/ews/conf/ews.cfg
chown tpot:tpot /data/ews/conf/ews.cfg
```
### 5. Adjust `tpot.yml` by adding docker volume for `logstash.conf`:
```
vi /opt/tpot/etc/tpot.yml
[...]
## Logstash service
logstash:
container_name: logstash
restart: always
depends_on:
elasticsearch:
condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/logstash:1903"
volumes:
- /data:/data
- /data/elk/logstash.conf:/etc/logstash/conf.d/logstash.conf
[...]
```
### 6. Start T-Pot service
```
systemctl start tpot
```