adjusted logstash.conf according to wiki, not transporting data.. #1116
Replies: 3 comments
-
.. so the honeypots data is being transported via logstash and the http_input.conf.. NOT the logstash.conf.. why is there an http_input.conf with an output clause .. along with an http_output.conf.. and a logstash.conf? |
Beta Was this translation helpful? Give feedback.
-
Because it needs to be aware of a standalone and distributed installation of T-Pot. |
Beta Was this translation helpful? Give feedback.
-
i figured it out and have ti working.. i'm not sure its ideal.. but it works. i created a completely seperate ES cluster not associated with the TPOT22 or Hive installations. I got it all up and running. 3 SSD nodes (hot ILM nodes) and 2 nodes with spinning drives(warm ILM nodes) for long term storage. once that was all set, i stopped the tpot service. and followed the instructions on the WIKI : https://github.com/telekom-security/tpotce/wiki/Reconfigure-logstash.conf if you are doing an single node (not hive install) just follow those directions. with the hive server you need to switch the logstash.conf for the http_input.conf. thats really the only change. i still send my data to the hive elasticsearch. i just delete data after two weeks. its quick and easy. i just also send the data to my other es cluster for long term storange and analysis. Output section elasticsearch { elasticsearch { i hope this helps |
Beta Was this translation helpful? Give feedback.
-
i'm pulling my hair out over here.
i followed the wiki to reconfigure logstash.conf to send the data somewhere else.
i have a elasticsearch 8 cluster set up and working fine.
the ONLY line i modified was:
data is still going to the elasticsearch docker container built with the tpot install, the only thing showing up in the logstash index is the NGINX records/logs.. everything else is going to the original elasticsearch single node.
i've rebooted everything.. i know its reading the logstash.conf file, because i can change
and it creates that index on my elk cluster.. but the logs from suricata and HP are not being transported.
what am i missing? any suggestions would really be appreciated
Beta Was this translation helpful? Give feedback.
All reactions