T-Pot Integration Guide
T-Pot is an all-in-one honeypot platform developed by Deutsche Telekom Security that combines multiple honeypot daemons and tools for threat intelligence gathering. This guide walks you through integrating T-Pot with NxtFireGuard using a Feed Aggregator.
Prerequisites
- A running T-Pot instance
- Access to T-Pot's Elasticsearch endpoint
Integration Architecture
T-Pot logs all attack data to its internal Elasticsearch instance. To integrate with NxtFireGuard, a Feed Aggregator running a Logstash container will:
- Pull events from T-Pot's Elasticsearch
- Transform the data into NxtFireGuard's format
- Forward threat events to NxtFireGuard's ingestion endpoint
Supported Honeypot Daemons
Not all T-Pot honeypot daemons are currently supported. The following are processed by NxtFireGuard:
| Honeypot |
|---|
| Adbhoney |
| CiscoASA Honeypot |
| Conpot |
| Cowrie |
| Dicompot |
| Dionaea |
| ElasticPot |
| Heralding |
| HoneyAML |
| IPPHoney |
| RedisHoneypot |
| SentryPeer |
| Snare / Tanner |
Events from unsupported daemons will not be processed even if they appear in T-Pot's Elasticsearch.
Setup Instructions
Step 1: Create or Configure a Feed Aggregator
You have two options depending on your current setup:
Option A: Create a New Feed Aggregator
If you don't have an existing aggregator:
- Navigate to Feed Aggregators under Data Ingestion in the sidebar.
- Click Create Aggregator and give it a descriptive name (e.g., "T-Pot Aggregator").
- Proceed through the setup wizard and enable Run Logstash Container on Step 3.
- Complete the creation process.
- Locate your newly created aggregator, click Edit, then click View Instructions and follow the installation guide.
Note: When starting the Logstash container for the first time, it may take a while to appear due to the size of the Logstash Docker image.
Option B: Use an Existing Feed Aggregator
If you already have a Feed Aggregator (for example, one used for Cisco FTD or Cisco ISE):
- Navigate to Feed Aggregators and locate your existing aggregator.
- Click Edit and enable Run Logstash Container if not already enabled.
- Save the changes, then click Logs to verify the Logstash container started successfully.
Note: A single Feed Aggregator can run both Logstash and Syslog containers simultaneously, so you can aggregate T-Pot and Cisco devices through the same aggregator.
Step 2: Verify Hostname Matching
The Threat Sensor hostname must exactly match your T-Pot instance hostname — this is required for correct event correlation.
- Check your T-Pot instance hostname.
- Go to Threat Sensors, find your T-Pot sensor, and click Edit.
- Confirm the Threat Sensor Hostname field matches exactly, including casing.
Step 3: Verify Data Flow
After completing the setup:
- Wait 5-10 minutes for the pipeline to establish.
- Navigate to Threat Events in the sidebar.
- Check for incoming events from your T-Pot instance.
Additional Resources
- T-Pot Documentation: https://github.com/telekom-security/tpotce
For integration issues, reach out via the contact form.