Reconfigure logstash.conf

Reconfigure `logstash.conf` to transmit data to other destination.

1. Extract `logstash.conf` from running container:

docker exec -it logstash bash
cd /etc/logstash/
cp logstash.conf /data/elk/logstash.conf
exit

2. Stop T-Pot service

systemctl stop tpot

3. Adjust `logstash.conf` to your needs:

vi /data/elk/logstash.conf

[...]
# Output section         
output {    
  elasticsearch {                                        
    hosts => ["elasticsearch:9200"]
#    document_type => "doc"                    
  }                   
                 
  if [type] == "Suricata" {         
      file {                             
        file_mode => 0760                                                                                                                                                                                                                        
        path => "/data/suricata/log/suricata_ews.log"
      }             
  }                                    
  # Debug output                       
  #if [type] == "XYZ" {                                                                                                                                                                                                                          
  #  stdout {
  #    codec => rubydebug                
  #  }                                      
  #}                                     
  # Debug output                  
  #stdout {         
  #  codec => rubydebug      
  #}    
                                                  
}
[...]

4. Set correct permissions:

chmod 760 /data/elk/logstash.conf
chown tpot:tpot /data/elk/logstash.conf

5. Adjust `tpot.yml` by adding docker volume for `logstash.conf`:

vi /opt/tpot/etc/tpot.yml

[...]
## Logstash service
  logstash:
    container_name: logstash
    restart: always
    depends_on:
      elasticsearch:
        condition: service_healthy
    env_file:
     - /opt/tpot/etc/compose/elk_environment
    image: "dtagdevsec/logstash:1903"
    volumes:
     - /data:/data
     - /data/elk/logstash.conf:/etc/logstash/logstash.conf
[...]

6. Start T-Pot service

systemctl start tpot

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Reconfigure logstash.conf

Reconfigure `logstash.conf` to transmit data to other destination.

1. Extract `logstash.conf` from running container:

2. Stop T-Pot service

3. Adjust `logstash.conf` to your needs:

4. Set correct permissions:

5. Adjust `tpot.yml` by adding docker volume for `logstash.conf`:

6. Start T-Pot service

Clone this wiki locally

Reconfigure logstash.conf

Reconfigure logstash.conf to transmit data to other destination.

1. Extract logstash.conf from running container:

2. Stop T-Pot service

3. Adjust logstash.conf to your needs:

4. Set correct permissions:

5. Adjust tpot.yml by adding docker volume for logstash.conf:

6. Start T-Pot service

Clone this wiki locally

Reconfigure `logstash.conf` to transmit data to other destination.

1. Extract `logstash.conf` from running container:

3. Adjust `logstash.conf` to your needs:

5. Adjust `tpot.yml` by adding docker volume for `logstash.conf`: