Prep for Log4Pot integration

2025-07-02 01:27:27 -04:00 · 2021-12-16 20:25:40 +00:00
parent a98b447556
commit b0339610a2
7 changed files with 344 additions and 6 deletions
--- a/docker/elk/logstash/dist/logstash.conf
+++ b/docker/elk/logstash/dist/logstash.conf
@ -147,6 +147,13 @@ input {
    type => "Ipphoney"
  }

+# Log4pot
+  file {
+    path => ["/data/log4pot/log/log4pot.log"]
+    codec => json
+    type => "Log4pot"
+  }
+
 # Mailoney
  file {
    path => ["/data/mailoney/log/commands.log"]
@ -564,6 +571,20 @@ filter {
    }
  }

+# Log4pot
+  if [type] == "Log4pot" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+    mutate {
+      rename => {
+        "server_port" => "dest_port"
+        "port" => "src_port"
+        "client" => "src_ip"
+      }
+    }
+  }
+
 # Mailoney
  if [type] == "Mailoney" {
    date {
--- a/docker/log4pot/Dockerfile
+++ b/docker/log4pot/Dockerfile
@ -0,0 +1,42 @@
+FROM alpine:3.14
+#
+# Install packages
+RUN apk -U add \
+             build-base \
+	     cargo \
+             git \
+	     libcap \
+	     libffi-dev \
+	     openssl-dev \
+             python3 \
+             python3-dev \
+             rust && \
+    apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing poetry && \
+#	     
+# Install log4pot from GitHub and setup
+    mkdir -p /opt /var/log/log4pot && \
+    cd /opt/ && \
+    git clone https://github.com/thomaspatzke/Log4Pot && \
+    cd Log4Pot && \
+    git checkout 4269bf4a91457328fb64c3e7941cb2f520e5e911 && \
+    sed -i 's#"type": logtype,#"reason": logtype,#g' log4pot.py && \
+    poetry install && \
+    setcap cap_net_bind_service=+ep /usr/bin/python3.9 && \
+#
+# Setup user, groups and configs
+    addgroup -g 2000 log4pot && \
+    adduser -S -H -s /bin/ash -u 2000 -D -g 2000 log4pot && \
+    chown log4pot:log4pot -R /opt/Log4Pot && \
+#
+# Clean up
+    apk del --purge build-base \
+                    git \
+		    python3-dev && \
+    rm -rf /root/* && \
+    rm -rf /var/cache/apk/*
+#
+# Start log4pot
+STOPSIGNAL SIGINT
+USER log4pot:log4pot
+WORKDIR /opt/Log4Pot/
+CMD ["/usr/bin/python3","log4pot.py","--port","8080","--log","/var/log/log4pot/log4pot.log"]
--- a/docker/log4pot/docker-compose.yml
+++ b/docker/log4pot/docker-compose.yml
@ -0,0 +1,23 @@
+version: '2.3'
+
+networks:
+  log4pot_local:
+
+services:
+
+# Log4pot service
+  log4pot:
+    build: .
+    container_name: log4pot
+    restart: always
+    networks:
+     - log4pot_local
+    ports:
+     - "80:8080"
+     - "443:8080"
+     - "8080:8080"
+     - "9200:8080"
+    image: "dtagdevsec/log4pot:2006"
+    read_only: true
+    volumes:
+     - /data/log4pot/log:/var/log/log4pot