mirror of
https://github.com/cowrie/cowrie.git
synced 2025-07-01 18:07:27 -04:00
0d2817a38b
* add pylint. fix variable names * add ruff. remove twistedchecker * update pre-commit * update hadolint. ruff mandatory in tox * add pyright as optional * add coverage * typing * fix telnet * fix #1757
How to send Cowrie output to Azure Sentinel =========================================== Open your Sentinel worksapce and navigate to `Data connectors` > `Syslog` > `Open connector page`. Expand `Install agent on a non-Azure Linux Machine`, the select `Download & install agent for non-Azure Linux machines`. Select the Linux tab and either copy the shell script that is presented, or take note of your Workspace ID and Primary Key and install the agent on your host by hand:: $ wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh $ chmod +x onboard_agent.sh $ ./onboard_agent.sh -w <workspace ID> -s <key> -d opinsights.azure.com Once installed, return to the Syslog connector page and select `Open your workspace advanced settings configuration`. Select `Data` > `Custom Logs`. Check `Apply below configuration to my linux machines` then add a new custom log source: When prompted, upload the ``cowrie.json`` file you downloaded. The default delimeter is correct (newline). Specify ``/opt/cowrie/var/log/cowrie/cowrie.json`` as the log collection path. Name the custom log ``cowrie_JSON``. Sentinel will automatically append _CL to this name. It will take a while for this to roll out to the host, but eventually you'll be able to run the log analytics query cowrie_JSON_CL and see data coming in. Take the contents of ``cowrie-parser.txt`` from the ``docs/sentinel`` folder and paste them into a new log analytics query. Run the query, then save this off as a function with the name, alias and category of `Cowrie`. Once events are being ingested and parsed by Azure Sentinel, ``linux_workbook.json`` can be imported to define a custom workbook to interact with Cowrie data.