log_json

This ihandler can submit information about attacks/connections encoded as json.

Warning

This ihandler is in pre alpha state and it might be changed or removed in the near future.

Configure

flat_data

Set to true to flatten object lists.

handlers

List of URLs to submit the information to. At the moment only file, http and https are supported.

Format

Format of the connection information:

{
    "connection": {
        "local": {
            "address": "<string:local ip address>",
            "port": <integer:local port>,
        },
        "protocol": "<string:service name e.g. httpd>",
        "remote": {
            "address": "<string:remote ip address>",
            "port": <integer:remote port>,
            "hostname": "<string:hostname of the remote host>"
        },
        "transport": "<string:transport protocol e.g. tcp or udp>",
        "type": "<string:connection type e.g. accepted, listen, ...>"
    }
}

Example config

ihandlers/log_json.yaml
- name: log_json
  config:
    # Uncomment next line to flatten object lists to work with ELK
    # flat_data: true
    handlers:
      #- http://127.0.0.1:8080/
      - file://@LOCALESTATEDIR@/dionaea/dionaea.json