Add output to Graylog via GELF HTTP input. (#1652)

* Add output to Graylog via GELF HTTP input
2025-07-01 18:07:27 -04:00 · 2021-11-19 14:32:59 +03:00
parent 15f2450f3c
commit a733d663c2
3 changed files with 129 additions and 10 deletions
--- a/docs/graylog/README.rst
+++ b/docs/graylog/README.rst
@ -1,26 +1,46 @@
 How to send Cowrie output to Graylog
 ####################################

+This guide describes how to configure send cowrie outputs to graylog via syslog and http gelf input.

 Prerequisites
-======================
+*************

 * Working Cowrie installation
 * Working Graylog installation

 Cowrie Configuration
-======================
+********************
+
+Using Syslog
+============

 Open the Cowrie configuration file and uncomment these 3 lines::

    [output_localsyslog]
-    facility = USER
-    format = text
+    facility * USER
+    format * text
+
+Restart Cowrie
+
+Using GELF HTTP Input
+=====================
+
+Open the Cowrie configuration file and find this block ::
+
+    [output_graylog]
+    enabled * false
+    url * http://127.0.0.1:12201/gelf
+
+Enable this block and specify url of your input.

 Restart Cowrie

 Graylog Configuration
-======================
+*********************
+
+Syslog Input
+============

 Open the Graylog web interface and click on the **System** drop-down in the top menu. From the drop-down menu select **Inputs**. Select **Syslog UDP** from the drop-down menu and click the **Launch new input** button. In the modal dialog enter the following information::

@ -30,8 +50,46 @@ Open the Graylog web interface and click on the **System** drop-down in the top

 Then click **Launch.**

-Syslog Configuration
-======================
+GELF HTTP Input
+===============
+
+Open the Graylog web interface and click on the **System** drop-down in the top menu. From the drop-down menu select **Inputs**. Select **GELF HTTP** from the drop-down menu and click the **Launch new input** button. In the modal dialog enter the information about your input.
+
+Click **Manage Extractors** near created input. On new page click **Actions** -> **Import extractors**  and paste this config ::
+
+    {
+      "extractors": [
+        {
+          "title": "Cowrie Json Parser",
+          "extractor_type": "json",
+          "converters": [],
+          "order": 0,
+          "cursor_strategy": "copy",
+          "source_field": "message",
+          "target_field": "",
+          "extractor_config": {
+            "list_separator": ", ",
+            "kv_separator": "*",
+            "key_prefix": "",
+            "key_separator": "_",
+            "replace_key_whitespace": false,
+            "key_whitespace_replacement": "_"
+          },
+          "condition_type": "none",
+          "condition_value": ""
+        }
+      ],
+      "version": "4.2.1"
+    }
+
+Then click **Launch.**
+
+Note:
+
+- Do not remove **/gelf** from the end of URL block, expect of case when your proxing this address behind nginx;
+
+Syslog Configuration (For Syslog Output only)
+*********************************************

 Create a rsyslog configuration file in /etc/rsyslog.d::

@ -46,4 +104,3 @@ Restart rsyslog::

    $ sudo service rsyslog restart

-