[Solved] Can't get logstash to catch cowrie filebeat

jonsag · January 26, 2019, 9:44pm

Thanks for the reply

Edited logstash config
Still no luck

# cat /etc/logstash/conf.d/cowrie.conf
input {
  beats {
    port => 5044    # Pick an available port to listen on
    host => "0.0.0.0"
  }
} 
 
filter {
  if [type] == "cowrie" {
    json {
      source => message
    }
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    if [src_ip]  {
      dns {
        reverse => [ "src_host", "src_ip" ]
        action => "append"
      }
      geoip {
        source => "src_ip"  # With the src_ip field
        target => "geoip"   # Add the geoip one
        # Using the database we previously saved
        database => "/opt/logstash/vendor/geoip/GeoLite2-City.mmdb"
        add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
        add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
      }
      # Get the ASN code as well
      #geoip {
        #source => "src_ip"
        #database => "/opt/logstash/vendor/geoip/GeoIPASNum.dat"
      #}
      mutate {
        convert => [ "[geoip][coordinates]", "float" ]
      }
    }
  }
}

output {
  if [type] == "cowrie" {
    # Output to elasticsearch
    elasticsearch {
      hosts => ["127.0.0.1:9200"]  # Provided elasticsearch is listening on that host:port
      #sniffing => true
      manage_template => false
      index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
      document_type => "%{[@metadata][type]}"
    }
    file {
      path => "/tmp/cowrie-logstash.log"
      codec => json
    }
    # For debugging
    stdout {
      codec => rubydebug
    }
  }
}

Still, a lot of output in the log from the filebeat

...
[DEBUG] 2019-01-26 22:38:40.673 [Ruby-0-Thread-6: :1] file - Starting flush cycle
[DEBUG] 2019-01-26 22:38:41.315 [pool-2-thread-2] cgroup - One or more required cgroup files or directories not found: /proc/self/cgroup, /sys/fs/cgroup/cpuacct, /sys/fs/cgroup/cpu
[DEBUG] 2019-01-26 22:38:41.683 [nioEventLoopGroup-3-3] ConnectionHandler - e39a15a6: batches pending: true
[DEBUG] 2019-01-26 22:38:41.683 [defaultEventExecutorGroup-5-2] BeatsHandler - [local: 192.168.10.6:5044, remote: 192.168.10.48:35816] Received a new payload
[DEBUG] 2019-01-26 22:38:41.684 [defaultEventExecutorGroup-5-2] BeatsHandler - [local: 192.168.10.6:5044, remote: 192.168.10.48:35816] Sending a new message for the listener, sequence: 1
[DEBUG] 2019-01-26 22:38:41.685 [defaultEventExecutorGroup-5-2] BeatsHandler - [local: 192.168.10.6:5044, remote: 192.168.10.48:35816] Sending a new message for the listener, sequence: 2
[DEBUG] 2019-01-26 22:38:41.686 [defaultEventExecutorGroup-5-2] BeatsHandler - e39a15a6: batches pending: false
[DEBUG] 2019-01-26 22:38:41.803 [Ruby-0-Thread-8: :1] pipeline - filter received {"event"=>{"offset"=>55453829, "source"=>"/home/cowrie/cowrie/var/log/cowrie/cowrie.json", "@timestamp"=>2019-01-26T21:38:40.670Z, "@version"=>"1", "prospector"=>{"type"=>"log"}, "tags"=>["beats_input_codec_plain_applied"], "host"=>"hunnipi", "beat"=>{"hostname"=>"hunnipi", "name"=>"hunnipi", "version"=>"6.1.1"}, "message"=>"{\"eventid\": \"cowrie.direct-tcpip.request\", \"timestamp\": \"2019-01-26T21:38:38.864972Z\", \"dst_ip\": \"31.13.67.174\", \"src_ip\": \"5.188.86.208\", \"session\": \"a83e0879efdd\", \"dst_port\": 443, \"src_port\": 31373, \"message\": \"direct-tcp connection request to 31.13.67.174:443 from ::1:31373\", \"sensor\": \"hunnipi\"}"}}
[DEBUG] 2019-01-26 22:38:41.803 [Ruby-0-Thread-7: :1] pipeline - filter received {"event"=>{"offset"=>55456652, "source"=>"/home/cowrie/cowrie/var/log/cowrie/cowrie.json", "@timestamp"=>2019-01-26T21:38:40.670Z, "@version"=>"1", "prospector"=>{"type"=>"log"}, "tags"=>["beats_input_codec_plain_applied"], "host"=>"hunnipi", "beat"=>{"hostname"=>"hunnipi", "name"=>"hunnipi", "version"=>"6.1.1"}, "message"=>"{\"eventid\": \"cowrie.direct-tcpip.data\", \"timestamp\": \"2019-01-26T21:38:39.015163Z\", \"sensor\": \"hunnipi\", \"src_ip\": \"5.188.86.208\", \"session\": \"a83e0879efdd\", \"dst_port\": 443, \"dst_ip\": \"31.13.67.174\", \"data\": 
...
[DEBUG] 2019-01-26 22:38:41.804 [Ruby-0-Thread-8: :1] pipeline - output received {"event"=>{"offset"=>55453829, "source"=>"/home/cowrie/cowrie/var/log/cowrie/cowrie.json", "@timestamp"=>2019-01-26T21:38:40.670Z, "@version"=>"1", "prospector"=>{"type"=>"log"}, "tags"=>["beats_input_codec_plain_applied"], "host"=>"hunnipi", "beat"=>{"hostname"=>"hunnipi", "name"=>"hunnipi", "version"=>"6.1.1"}, "message"=>"{\"eventid\": \"cowrie.direct-tcpip.request\", \"timestamp\": \"2019-01-26T21:38:38.864972Z\", \"dst_ip\": \"31.13.67.174\", \"src_ip\": \"5.188.86.208\", \"session\": \"a83e0879efdd\", \"dst_port\": 443, \"src_port\": 31373, \"message\": \"direct-tcp connection request to 31.13.67.174:443 from ::1:31373\", \"sensor\": \"hunnipi\"}"}}
...
[DEBUG] 2019-01-26 22:38:42.419 [pool-2-thread-1] jvm - collector name {:name=>"ParNew"}
[DEBUG] 2019-01-26 22:38:42.419 [pool-2-thread-1] jvm - collector name {:name=>"ConcurrentMarkSweep"}
[DEBUG] 2019-01-26 22:38:42.683 [Ruby-0-Thread-6: :1] file - Starting flush cycle
...

But I can't see anything about type: cowrie?

Somwething wrong with the filebeat config?