Recieving logs from The-Hive sensor

[ristianhansen]

Hi,

Im installing a distributed environment, where my plan is to deploy a tpot the-hive, and X-numbers of the-hive sensors.

Firstly i have installed t-pot and choosed "The-Hive" installation.

Output from the host running "The-Hive"
[ ========| System |======== ]
DATE: Wed 31 May 2023 10:32:24 AM UTC
UPTIME: 10:32:24 up 7 min, 1 user, load average: 0.47, 0.63, 0.37
T-POT: ACTIVE
BLACKHOLE: DISABLED

NAME STATUS PORTS
elasticsearch Up 7 minutes (healthy) 127.0.0.1:64298->9200/tcp
kibana Up 7 minutes (healthy) 127.0.0.1:64296->5601/tcp
logstash Up 7 minutes (healthy) 127.0.0.1:64305->64305/tcp
map_data Up 7 minutes
map_redis Up 7 minutes
map_web Up 7 minutes 127.0.0.1:64299->64299/tcp
nginx Up 7 minutes
spiderfoot Up 7 minutes (healthy) 127.0.0.1:64303->8080/tcp

After checking all services (dps.sh), i proceed to make a new host with the hive sensor.

Output from the host running "The-Hive-Sensor"
[ ========| System |======== ]
DATE: Wed 31 May 2023 10:43:21 AM UTC
UPTIME: 10:43:21 up 7 min, 1 user, load average: 2.00, 2.64, 1.40
T-POT: ACTIVE
BLACKHOLE: DISABLED

NAME STATUS PORTS
adbhoney Up 2 minutes (healthy) 0.0.0.0:5555->5555/tcp
ciscoasa Up 2 minutes 0.0.0.0:5000->5000/udp, 0.0.0.0:8443->8443/tcp
citrixhoneypot Up 2 minutes 0.0.0.0:443->443/tcp
conpot_guardian_ast Up 2 minutes (healthy) 0.0.0.0:10001->10001/tcp
conpot_iec104 Up 2 minutes (healthy) 0.0.0.0:161->161/udp, 0.0.0.0:2404->2404/tcp
conpot_ipmi Up 2 minutes (healthy) 0.0.0.0:623->623/udp
conpot_kamstrup_382 Up 2 minutes (healthy) 0.0.0.0:1025->1025/tcp, 0.0.0.0:50100->50100/tcp
cowrie Up 2 minutes 0.0.0.0:22-23->22-23/tcp
ddospot Up 2 minutes 0.0.0.0:19->19/udp, 0.0.0.0:53->53/udp, 0.0.0.0:123->123/udp, 0.0.0.0:1900->1900/udp
dicompot Up 2 minutes 0.0.0.0:11112->11112/tcp
dionaea Up 2 minutes (healthy) 0.0.0.0:20-21->20-21/tcp, 0.0.0.0:42->42/tcp, 0.0.0.0:81->81/tcp, 0.0.0.0:135->135/tcp, 0.0.0.0:445->445/tcp, 0.0.0.0:1433->1433/tcp, 0.0.0.0:1723->1723/tcp, 0.0.0.0:1883->1883/tcp, 0.0.0.0:3306->3306/tcp, 0.0.0.0:27017->27017/tcp, 0.0.0.0:69->69/udp
elasticpot Up 2 minutes 0.0.0.0:9200->9200/tcp
ewsposter Up 2 minutes
fatt Up 2 minutes
heralding Up 2 minutes 0.0.0.0:110->110/tcp, 0.0.0.0:143->143/tcp, 0.0.0.0:465->465/tcp, 0.0.0.0:993->993/tcp, 0.0.0.0:995->995/tcp, 0.0.0.0:1080->1080/tcp, 0.0.0.0:5432->5432/tcp, 0.0.0.0:5900->5900/tcp
honeytrap Up 2 minutes
ipphoney Up 2 minutes 0.0.0.0:631->631/tcp
logstash Up 2 minutes (healthy)
mailoney Up 2 minutes 0.0.0.0:25->25/tcp
medpot Up 2 minutes 0.0.0.0:2575->2575/tcp
p0f Up 2 minutes
redishoneypot Up 2 minutes 0.0.0.0:6379->6379/tcp
sentrypeer Up 2 minutes 0.0.0.0:5060->5060/udp
snare Up 2 minutes 0.0.0.0:80->80/tcp
suricata Up 2 minutes
tanner Up 2 minutes
tanner_api Up 2 minutes
tanner_phpox Up 2 minutes
tanner_redis Up 2 minutes

After i have confirmed that both hosts and services are up and running, i proceed to deploy the-hive sensor to the hive through the "deploy.sh" script. Which i am running from the host installed as "The-Hive-Sensor".

i use the tsec user with password + the ip address from the host running The-hive. After completing the script, it confirms that the sensor has been deployed and i need to reboot the host.

On the host running the hive i can see there is an ssh connection with the-hive-sensor host (ps -aux | grep sshd)
root 13891 0.0 0.1 14492 8304 ? Ss 11:14 0:00 sshd: alivejail [priv]
aliveja+ 13914 0.0 0.0 14492 4676 ? S 11:14 0:00 sshd: alivejail

My problem is, after the reboot and when im trying to test the setup, no logs are being forwarded from the-hive-sensor to logstash runned by the-hive. I have followed the guide of installing in a distributed environment, but cant seem to figure out what im doing wrong since no logs are showing up i logstash/kibana. I have confirmed that the logs are present on "the-hive-sensor" at ex. /data/cowrie/logs

Is it because i need to edit the logstash.conf ? in that case would it be the hostip:9200? (https://github.com/telekom-security/tpotce/wiki/Reconfigure-logstash.conf)

Any help would be appreciated

[t3chn0m4g3]

If this is a fresh install, fix is on the way shortly #1336.

[ristianhansen]

Thank you for replying so fast. It is a fresh install in VMware - with tho tpot_amd64 iso (22.04)