mushorg / glutton

Generic Low Interaction Honeypot
MIT License
244 stars 56 forks source link

double "msg" key blocks SIEM ingestion #148

Closed maikroservice closed 1 year ago

maikroservice commented 1 year ago

I recently tried out glutton and I like it a lot, the only thing that I feel others might also benefit from is the following:

When trying to load glutton logs into a SIEM of your choice most likely the SIEM will be unhappy about the usage of "msg" twice, once for telnet message and once in the general part of the log message (see screenshot below)

I assume this would be a simple fix in line 88/114 of telnet.go? (https://github.com/mushorg/glutton/blob/04ccf8459003c477c36624b14af276ea5b4be2dc/protocols/telnet.go#L88)

If so I would try my hands on a pull request and rename the logged parameter to message?

Screenshot 2023-02-05 at 22 03 44

glaslos commented 1 year ago

Thanks a lot for this feedback. The only consumer I was aware of is T-Pot and they consume the hpfeeds format (IIRC). Keep it coming 🙂