Continue working on Galah

docker/elk/logstash/Dockerfile

@@ -1,5 +1,5 @@
 FROM ubuntu:22.04
-ENV DEBIAN_FRONTEND noninteractive
+ENV DEBIAN_FRONTEND=noninteractive
 ENV LS_VER=8.14.2
 #
 # Include dist

docker/elk/logstash/dist/http_output.conf

@@ -99,6 +99,13 @@ input {
     type => "Endlessh"
   }
 
+# Galah
+  file {
+    path => ["/data/galah/log/galah.json"]
+    codec => json
+    type => "Galah"
+  }
+
 # Glutton
   file {
     path => ["/data/glutton/log/glutton.log"]
@@ -210,9 +217,9 @@ filter {
     mutate {
       rename => {
         "sourceIp" => "src_ip"
-	"destinationIp" => "dest_ip"
-	"sourcePort" => "src_port"
-	"destinationPort" => "dest_port"
+	      "destinationIp" => "dest_ip"
+        "sourcePort" => "src_port"
+        "destinationPort" => "dest_port"
         "gquic" => "fatt_gquic"
         "http" => "fatt_http"
         "rdp" => "fatt_rdp"
@@ -460,6 +467,13 @@ filter {
     }
   }
 
+# Galah
+  if [type] == "Galah" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+  }
+
 # Glutton
   if [type] == "Glutton" {
     date {

docker/elk/logstash/dist/logstash.conf

@@ -99,6 +99,13 @@ input {
     type => "Endlessh"
   }
 
+# Galah
+  file {
+    path => ["/data/galah/log/galah.json"]
+    codec => json
+    type => "Galah"
+  }
+
 # Glutton
   file {
     path => ["/data/glutton/log/glutton.log"]
@@ -460,6 +467,13 @@ filter {
     }
   }
 
+# Galah
+  if [type] == "Galah" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+  }
+
 # Glutton
   if [type] == "Glutton" {
     date {

docker/elk/map/Dockerfile

@@ -13,7 +13,7 @@ RUN apk --no-cache -U add \
 # Install from GitHub and setup
     mkdir -p /opt && \
     cd /opt/ && \
-    git clone https://github.com/t3chn0m4g3/t-pot-attack-map -b 2.2.1 && \
+    git clone https://github.com/t3chn0m4g3/t-pot-attack-map -b 2.2.2 && \
     cd t-pot-attack-map && \
     pip3 install --break-system-packages --upgrade pip && \
     pip3 install --break-system-packages -r requirements.txt && \
@@ -35,4 +35,4 @@ ENV TZ=UTC
 STOPSIGNAL SIGINT
 USER map:map
 WORKDIR /opt/t-pot-attack-map
-CMD /usr/bin/python3 $MAP_COMMAND
+CMD ["/bin/sh", "-c", "/usr/bin/python3 $MAP_COMMAND"]