T-Pot Honeypot Integration 🐝
Integrate T-Pot with NxtFireGuard to forward Suricata logs efficiently. This guide will help you set up a custom Logstash container to send logs, as T-Pot doesn’t natively support HTTP log forwarding.
Requirements
Ensure you have:
- ✅ A valid NxtFireGuard License Key
- ✅ T-Pot installed (Standalone or Distributed Setup)
For standalone T-Pot setups, these steps should be completed on each T-Pot installation.
For distributed T-Pot setups, perform this installation only on the main instance where Elasticsearch is installed.
Installation Steps
1. Access Your T-Pot Server
Connect via SSH:
ssh <username>@<t-pot-ip> -p 64295
2. Download NxtFireGuard Threat Log Forwarder
-
Visit NxtFireGuard GitHub Releases.
-
Download the latest release:
wget <latest-release>
-
Extract the files:
tar -xf <v.x.y>.tar.gz
-
Navigate to the directory:
cd NxtFireGuard-Threat-Log-forwarder-<version>
3. Installation
-
Make the installation script executable:
chmod +x install.sh
-
Run the script:
sudo ./install.sh
-
Follow the prompts:
-
Enter your License Key: (Available in Account Dashboard)
[your_license_key]: 4WPHKY3K-9RWJXKD3-VKLAUG96-E7N7ALMF
-
Name your Threat-Log-Forwarder:
[forwarder-name]: nfg-threat-log-fwd-01
-
Enable integration with Cisco-FMC and/or Cisco-ISE?
(y/n) [n]: n
-
Enable Logstash integration with T-Pot?
(y/n) [n]: y
-
Enter the URL for your Elasticsearch instance (default: http://elasticsearch:9200)
[http://elasticsearch:9200]:
-
Enter the Elasticsearch User (default: elastic)
[elastic]: user
-
Enter the Elasticsearch Password (default: changeme)
[changeme]: password
-
4. Post-Installation Steps
Log out and back in to apply changes. Start the service:
systemctl start nfg-threat-forwarder.service
5. Managing the Service
Control the service with:
systemctl status nfg-threat-forwarder.service # Check status
systemctl start nfg-threat-forwarder.service # Start
systemctl stop nfg-threat-forwarder.service # Stop
systemctl restart nfg-threat-forwarder.service # Restart
6. Configuration Management
Modify settings in .env
and restart:
systemctl restart nfg-threat-forwarder.service
For nfg-syslog
container, update syslog/syslog-ng.conf
:
vim syslog/syslog-ng.conf
Replace X_LICENSE_KEY
with your actual key:
@define X_LICENSE_KEY "YOUR-LICENSE-KEY"
Next Steps
Return to Adding a Host to verify integration.
For support, contact us via this form.