Forward T-Pot logs to syslog host / Adjust logstash.conf to your needs

[t3chn0m4g3]

The Elastic Stack (Logstash) now includes the Syslog Output Plugin.

Logstash Configuration Customization (recommended only on Hive)

The Logstash configurations must be customized using volumes. To do this, stop T-Pot (sudo systemctl stop tpot) and then modify both logstash.conf and http_input.conf located in tpotce/docker/elk/logstash/dist for example:

  syslog {
    host => "192.168.1.100"
    port => 514
    protocol => tcp
    appname => "logstash-logs"
    severity => "6"
  }

In the docker-compose.yml file located at tpotce/docker-compose.yml, add two volumes to the configuration of the Logstash service:

Logstash service

  logstash:
    container_name: logstash
    restart: always
    depends_on:
      elasticsearch:
        condition: service_healthy
    networks:
     - nginx_local
    environment:
     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
     - TPOT_TYPE=${TPOT_TYPE:-HIVE}
     - TPOT_HIVE_USER=${TPOT_HIVE_USER}
     - TPOT_HIVE_IP=${TPOT_HIVE_IP}
     - LS_SSL_VERIFICATION=${LS_SSL_VERIFICATION:-full}
    ports:
     - "127.0.0.1:64305:64305"
    mem_limit: 2g
    image: ${TPOT_REPO}/logstash:${TPOT_VERSION}
    pull_policy: ${TPOT_PULL_POLICY}
    volumes:
     - ${TPOT_DATA_PATH}:/data
     - modified_logstash.conf:/etc/logstash/logstash.conf
     - modified_http_input.conf:/etc/logstash/http_input.conf

Then start T-Pot (sudo systemctl start tpot) again.

Monitor the logs with (docker compose logs; run this command directly in the tpotce folder) in case something doesn't work as expected.

Important Notes:

• modified_logstash.conf and modified_http_input.conf are the names of the files you will create with your custom configurations. You'll need to create these files locally before running docker-compose.
• This setup mounts those local configuration files into the container, overriding the default ones.