Sending data from T-Pot to an external ELK stack

[ze3ck]

Hello,

As a result of a project I have to undertake, I came across the issue of needing to separate the built-in ELK stack in T-Pot and send its data (logs) to an external ELK stack. To provide some context, T-Pot is running on Debian 11, and the external ELK stack is installed on an Ubuntu machine, as per the project's requirements. Both machines will be deployed on a cloud hosting provider.

So, my question is how could I send data to the external ELK stack?

I'm looking forward to your comments. Thank you in advance.

[MakoWish]

Also looking for a solution to this. We have a 31 node Elastic cluster in production for SIEM and business analytics, and I would like to send all T-Pot data to that production cluster. This would allow us to pivot and correlate with other live network/security data.

[dmille6]

yup, there is a wiki just for this. its not hard.
https://github.com/telekom-security/tpotce/wiki/Reconfigure-logstash.conf

if you just have single honeypots go by the wiki.. if you are using a hive install (multiple honeypots -> one hive server) you modify the wiki a little. instead of modifying the logstash.conf you modify the http_input.conf.

i keep the elasticsearch output to the honeypot or hive, and add an additional output.. that way I can use the built in visualizations and stuff .. while also sending the data to another elk cluster for other kinds of analysis.. if you just want it to go to your new cluster.. just replace the output strings with where you want it to go.

# Output section
output {
#original elk stack for honeypot
  elasticsearch {
    hosts => ["elasticsearch:9200"]
    # With templates now being legacy we need to set the daily index with its template manually. Otherwise a new index might be created with differents settings configured through Kibana.
    index => "logstash-%{+YYYY.MM.dd}"
    template => "/etc/logstash/tpot-template.json"
    template_overwrite => "true"
  }

#longterm sharable storage cluster
   elasticsearch {
       hosts => ["<your new server/cluster>:9200"] 
       index => "logstash-hive-1"
       template => "/etc/logstash/tpot-template.json"
       template_overwrite => "true"
       user => "yourUserForCluster"
       password => "hahahahahahhahahahaha1"
       action => "create" #if you're using a datastream index, don't have this line for a regular index
}
}

[MakoWish]

I am still in the planning phase of our honeypots, so I haven't looked into the actual configs or data yet. Does the data produced by T-Pot conform to the Elastic Common Schema (ECS)?

EDIT: Just looked, and absolutely not ECS-compliant. This would take a ton of work for production.