# This filebeat parser is used with 
# for DShield honeypot

# 29 Dec 2023
# Version: 1.0

filebeat.inputs:

# Parsing Honeypot Cowrie logs for DShield
- type: filestream

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /srv/cowrie/var/log/cowrie/cowrie.json*

  # Change to true to enable this input configuration.
  enabled: true
  parsers:
    - ndjson:
      message_key: message
      key_under_root: true


# Parsing webhoneypot logs for DShield
- type: filestream

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /srv/db/webhoneypot*.json

  # Change to true to enable this input configuration.
  enabled: true
  parsers:
    - ndjson:
      message_key: message
      key_under_root: true

# Firewall logs for dshield
- type: log
  enabled: true
  paths:
    - "/var/log/dshield.log"
  fields_under_root: true
  fields:
    region: Ottawa

#==================== Queued Event ====================
#queue.mem:
#  events: 4096
#  flush.min_events: 512
#  flush.timeout: 5s

#queue.disk:
#  path: "/op/filebeat/diskqueue"
#  max_size: 10GB

# ============================== Filebeat modules ==============================

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: false

  # Period on which files under path should be checked for changes
  #reload.period: 10s

#==================== Output Event ====================
output.logstash:
  hosts: ["192.168.25.23:5044"]
#  codec.json:
#    pretty: true

#output.console:
#  pretty: true
#  enable: true