T-Pot Honeypot Integration 🐝

Currently, NxtFireGuard supports integrating Suricata logs from T-Pot, specifically those containing the alert field. Follow the steps below to get your T-Pot setup connected and sending logs to NxtFireGuard.

As T-Pot doesn't directly support sending logs to an HTTP destination, we will be using a custom Logstash container. So our setup will look like this: T-Pot Overview

Requirements

Before you start, make sure you have:

✅ A valid NxtFireGuard License Key.
✅ T-Pot installed, either as a standalone (HIVE) installation or as a distributed setup.

For standalone T-Pot setups, these steps should be completed on each T-Pot installation.
For distributed T-Pot setups, perform this installation only on the main instance where Elasticsearch is installed.

Installation Steps

Step 1: Access Your T-Pot Server 🖥️

Connect to your T-Pot server via SSH:

ssh <username>@<t-pot-ip> -p 64295

Step 2: Download the NxtFireGuard Log Forwarder 📥

Download the latest release of the NxtFireGuard-Syslog-forwarder:

wget https://github.com/NxtGenIT/NxtFireGuard-Syslog-forwarder/archive/refs/heads/main.zip

Step 3: Unzip the Downloaded File 📂

Extract the contents of the downloaded file:

unzip main.zip && cd NxtFireGuard-Syslog-forwarder-main

If you don't have unzip installed, you can install it on Ubuntu or Debian using:
sudo apt install unzip  

Step 4: Configure the Environment Variables 🛠️

Rename the environment file:
```
mv .env.example .env  
```
Edit the environment file to set up your environment variables. Use a text editor of your choice (e.g., VIM):
```
vim .env  
```
In this file, set the following variables:
```
ELK_URL=http://elasticsearch:9200  
ELK_USER=elastic  
ELK_PASSWORD=changeme  
DESTINATION_URL=https://collector.nxtfireguard.de/t-pot  
X_LICENSE_KEY=your_license_key  
```
Note: ELK_URL and DESTINATION_URL are preset for standard T-Pot installations. You only need to update ELK_USER, ELK_PASSWORD, and X_LICENSE_KEY.

Step 5: Start the Log Forwarder Container 🚀

Run the following command to start the Log Forwarder container:

docker compose up nfg-logstash -d

Next Steps

Once the setup is complete, you can return to the Adding a Host section to verify the connection in NxtFireGuard.

For any questions or issues, feel free to reach out to our support team via this Contact Form.

Requirements​

Installation Steps​

Step 1: Access Your T-Pot Server 🖥️​

Step 2: Download the NxtFireGuard Log Forwarder 📥​

Step 3: Unzip the Downloaded File 📂​

Step 4: Configure the Environment Variables 🛠️​

Step 5: Start the Log Forwarder Container 🚀​

Next Steps​