Skip to main content

T-Pot Honeypot Integration 🐝

Integrate T-Pot with NxtFireGuard to forward Suricata logs efficiently. This guide will help you set up a custom Logstash container to send logs, as T-Pot doesn’t natively support HTTP log forwarding.

T-Pot Overview

Requirements

Ensure you have:

  • ✅ A valid NxtFireGuard License Key
  • T-Pot installed (Standalone or Distributed Setup)

For standalone T-Pot setups, these steps should be completed on each T-Pot installation.
For distributed T-Pot setups, perform this installation only on the main instance where Elasticsearch is installed.

Installation Steps

1. Access Your T-Pot Server

Connect via SSH:

ssh <username>@<t-pot-ip> -p 64295

2. Download NxtFireGuard Threat Log Forwarder

  1. Visit NxtFireGuard GitHub Releases.

  2. Download the latest release:

    wget <latest-release>

  3. Extract the files:

    tar -xf <v.x.y>.tar.gz

  4. Navigate to the directory:

    cd NxtFireGuard-Threat-Log-forwarder-<version>

3. Installation

  1. Make the installation script executable:

    chmod +x install.sh

  2. Run the script:

    sudo ./install.sh

  3. Follow the prompts:

    • Enter your License Key: (Available in Account Dashboard)

      [your_license_key]: 4WPHKY3K-9RWJXKD3-VKLAUG96-E7N7ALMF

    • Name your Threat-Log-Forwarder:

      [forwarder-name]: nfg-threat-log-fwd-01

    • Enable integration with Cisco-FMC and/or Cisco-ISE?

      (y/n) [n]: n

    • Enable Logstash integration with T-Pot?

      (y/n) [n]: y

    • Enter the URL for your Elasticsearch instance (default: http://elasticsearch:9200)

      [http://elasticsearch:9200]:

    • Enter the Elasticsearch User (default: elastic)

      [elastic]: user

    • Enter the Elasticsearch Password (default: changeme)

      [changeme]: password

4. Post-Installation Steps

Log out and back in to apply changes. Start the service:

systemctl start nfg-threat-forwarder.service

5. Managing the Service

Control the service with:

systemctl status nfg-threat-forwarder.service   # Check status
systemctl start nfg-threat-forwarder.service    # Start
systemctl stop nfg-threat-forwarder.service     # Stop
systemctl restart nfg-threat-forwarder.service  # Restart

6. Configuration Management

Modify settings in .env and restart:

systemctl restart nfg-threat-forwarder.service

For nfg-syslog container, update syslog/syslog-ng.conf:

vim syslog/syslog-ng.conf

Replace X_LICENSE_KEY with your actual key:

@define X_LICENSE_KEY "YOUR-LICENSE-KEY"

Next Steps

Return to Adding a Host to verify integration.

For support, contact us via this form.