{"id":261,"date":"2024-01-13T08:46:28","date_gmt":"2024-01-13T16:46:28","guid":{"rendered":"https:\/\/francisco.x10.bz\/blog\/?p=261"},"modified":"2025-01-13T09:44:45","modified_gmt":"2025-01-13T17:44:45","slug":"honeypot-installation-revisited-ditching-splunk-for-mysql","status":"publish","type":"post","link":"https:\/\/defrancisco.us\/blog\/index.php\/2024\/01\/13\/honeypot-installation-revisited-ditching-splunk-for-mysql\/","title":{"rendered":"Honeypot Installation Revisited: Ditching Splunk for MySQL"},"content":{"rendered":"<p>Back on July 22, 2023, I wrote a <a href=\"\/blog\/index.php\/2023\/07\/22\/installing-and-configuring-a-honeypot\/\" title=\"blog post\">blog post<\/a> describing how to install the Cowrie honeypot and use Splunk Enterprise as its data repository. Although proprietary, Splunk is free if you keep your data volume under 500 MB per day. That solution worked fine for about six months, but then one day the honeypot experienced a spike in traffic of 2.5 TB, which allowed me to see the ugly side of the freemium business model and Splunk&#8217;s heavy-handed approach to user management: <em>&quot;pay up or be blocked for a month.&quot;<\/em> As both options were unacceptable to me, I decided to migrate my data to a free and open-source solution that wouldn&#8217;t impose data caps. I chose and implemented my current Cowrie analytics environment based on MySQL and the MySQL REST Service. In other words, I ditched Splunk, moved to mySQL, and never looked back. The notes below provide detailed instruction on how to install and configure the new environment:<\/p>\n<p><a href=\"\/images\/blog\/hpsetup_e.webp\" title=\"Simplified Honeypot Environment Diagram\"><img decoding=\"async\" src=\"\/images\/blog\/hpsetup_e.webp\" alt=\"Simplified Honeypot Environment Diagram\" title=\"Simplified Honeypot Environment Diagram\" \/><\/a><\/p>\n<p>Installing and configuring a Cowrie and MySQL-based honeypot environment is pretty straightforward. Below you can find the steps I took, in case you find the information useful:<\/p>\n<p>[<a href=\"#1\">Skip table of contents<\/a>]<\/p>\n<ol>\n<li><a href=\"#1\">The Honeypot<\/a>\n<ol>\n<li><a href=\"#1.1\">Choose the honeypot host<\/a><\/li>\n<li><a href=\"#1.2\">Install the system dependencies<\/a><\/li>\n<li><a href=\"#1.3\">Create a user account<\/a><\/li>\n<li><a href=\"#1.4\">Get the Cowrie code<\/a><\/li>\n<li><a href=\"#1.5\">Set up a Python virtual environment<\/a><\/li>\n<li><a href=\"#1.6\">Configure Cowrie<\/a><\/li>\n<li><a href=\"#1.7\">Customize Cowrie<\/a><\/li>\n<li><a href=\"#1.8\">Forward listening ports<\/a><\/li>\n<li><a href=\"#1.9\">Start Cowrie<\/a><\/li>\n<\/ol>\n<\/li>\n<li><a href=\"#2\">The Data Repository<\/a>\n<ol>\n<li><a href=\"#2.1\">Wrangle the Data<\/a><\/li>\n<li><a href=\"#2.2\">Install MySQL<\/a><\/li>\n<li><a href=\"#2.3\">Create a MySQL database for Cowrie<\/a><\/li>\n<li><a href=\"#2.4\">Install Apache, PHP and phpMyAdmin<\/a><\/li>\n<li><a href=\"#2.5\">Import the Cowrie data into the MySQL database<\/a><\/li>\n<li><a href=\"#2.6\">Configure the MySQL REST Service (MRS)<\/a><\/li>\n<li><a href=\"#2.7\">Verify the MRS Core API<\/a><\/li>\n<li><a href=\"#2.8\">Reference: The MRS JSON filter grammar<\/a><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<h2>Part 1: The Honeypot<a name=1><\/a><\/h2>\n<p>I chose Cowrie as the key component of my unwanted traffic detection infrastructure. Cowrie is a superb medium\/high interaction honeypot designed to log brute-force attempts and shell interactions launched by attackers over both SSH and Telnet. Cowrie is very popular among both researchers and enthusiasts due to an optimal combination of rich capabilities and ease of use. It is open-source and is backed by an active community led by <a href=\"https:\/\/www.patreon.com\/micheloosterhof\" target=\"_blank\" rel=\"noopener\">Michel Oosterhof<\/a>, the project\u2019s maintainer, creator, and main developer.<\/p>\n<h3>1. Choose the honeypot host<a name=1.1><\/a><\/h3>\n<p>You need to start by choosing a Linux system where to install the honeypot. Since Cowrie is very efficient in its resource consumption, I opted for a tiny <a href=\"https:\/\/www.raspberrypi.com\/products\/raspberry-pi-400\/specifications\/\" target=\"_blank\" rel=\"noopener\">Raspberry Pi 400<\/a> computer as the Cowrie host.<\/p>\n<h3>2. Install the system dependencies<a name=1.2><\/a><\/h3>\n<p>Install the system dependencies on the Cowrie host:<\/p>\n<pre><code> $ sudo apt-get install git python3-virtualenv libssl-dev libffi-dev build-essential libpython3-dev python3-minimal authbind virtualenv \n<\/code><\/pre>\n<h3>3. Create a user account<a name=1.3><\/a><\/h3>\n<p>Installing a user without a password is not an absolute requirement, but it is recommended by the Cowrie authors:<\/p>\n<pre><code>$ sudo adduser --disabled-password cowrie\nAdding user &#039;cowrie&#039; ...\nAdding new group &#039;cowrie&#039; (1002) ...\nAdding new user &#039;cowrie&#039; (1002) with group &#039;cowrie&#039; ... \nChanging the user information for cowrie\nEnter the new value, or press ENTER for the default\nFull Name []:\nRoom Number []:\nWork Phone []:\nHome Phone []:\nOther []:\nIs the information correct? [Y\/n]\n\n$ sudo su - cowrie\n<\/code><\/pre>\n<h3>4. Get the Cowrie code<a name=1.4><\/a><\/h3>\n<p>Clone the <code>cowrie<\/code> project from GitHub:<\/p>\n<pre><code>$ git clone http:\/\/github.com\/cowrie\/cowrie\nCloning into &#039;cowrie&#039;...\nremote: Counting objects: 2965, done.\nremote: Compressing objects: 100% (1025\/1025), done.\nremote: Total 2965 (delta 1908), reused 2962 (delta 1905), pack-reused 0 \nReceiving objects: 100% (2965\/2965), 3.41 MiB | 2.57 MiB\/s, done.\nResolving deltas: 100% (1908\/1908), done.\nChecking connectivity... done.\n\n$ cd cowrie\n<\/code><\/pre>\n<h3>5. Set up a Python virtual environment<a name=1.5><\/a><\/h3>\n<p>Technically speaking, this step is not needed, but it is highly recommended to ensure that package updates on the Cowrie host system will not cause incompatibilities with the honeypot operation:<\/p>\n<pre><code>$ pwd\n\/home\/cowrie\/cowrie\n\n$ python -m venv cowrie-env\nNew python executable in .\/cowrie\/cowrie-env\/bin\/python \nInstalling setuptools, pip, wheel...done.\n<\/code><\/pre>\n<p>After you install the virtual environment, activate it and install required packages:<\/p>\n<pre><code>$ source cowrie-env\/bin\/activate\n(cowrie-env) $ python -m pip install --upgrade pip\n(cowrie-env) $ python -m pip install --upgrade -r requirements.txt \n<\/code><\/pre>\n<h3>6. Configure Cowrie<a name=1.6><\/a><\/h3>\n<p>The Cowrie configuration is stored in the <code>cowrie\/etc\/cowrie.cfg file<\/code>. To run the honeypot with a standard configuration, there is no need to change anything. By default, Cowrie accepts traffic over SSH. I wanted the honeypot to also accept traffic over Telnet, send the data to Splunk (more on this later), and change the default ports 22 and 23, so I modified the configuration file as follows:<\/p>\n<pre><code>[telnet]\nenabled = true\n...\n[output_splunk]\nenabled = true\n...\n[proxy]\nbackend_ssh_port = 2022\nbackend_telnet_port = 2023 \n<\/code><\/pre>\n<p>I also wanted to change the default user configurations and the list of credentials accepted to login to the remote shell. These changes are made by modifing the cowrie\/etc\/userdb.txt file. Each line in the file consists of three fields separated by the : character, where:<\/p>\n<ul>\n<li>Field #1 is the username.<\/li>\n<li>Field #2 is currently unused and set to <code>x<\/code>.<\/li>\n<li>Field #3 is the regular expression that specifies the list of passwords accepted by the user.<\/li>\n<\/ul>\n<p>As an example, the following settings configure a username <code>admin<\/code> that accepts all passwords except 1) only numeric characters, 2) the case-sensitive string <code>admin<\/code>, and 3) the case-insensitive string <code>honeypot<\/code>:<\/p>\n<pre><code>admin:x:!admin\nadmin:x:!\/^[0-9]+$\/\nadmin:x:!\/honeypot\/i \nadmin:x:*\n<\/code><\/pre>\n<h3>7. Customize Cowrie<a name=1.7><\/a><\/h3>\n<p>Optionally, you can change the look-and-feel of the Cowrie interface to make it look more realistic. A number of files allow you to do that:<\/p>\n<ul>\n<li>In <code>cowrie\/etc\/cowrie.cfg<\/code>, you can change, for example, the hostname displayed by the shell prompt, the user prompt, the Telnet username and password prompts, the response from the <code>uname<\/code> command, the SSH version printed by <code>ssh -V<\/code>, etc.<\/li>\n<\/ul>\n<pre><code>hostname = appsrv02\n...\nprompt = root&gt;\n...\ntelnet_username_prompt_regex = (\\n|^)ubuntu login: .* \ntelnet_password_prompt_regex = .*Password: .*\n...\nkernel_version = 3.2.0-4-amd64\nkernel_build_string = #1 SMP Debian 3.2.68-1+deb7u1\nhardware_platform = x86_64\noperating_system = GNU\/Linux\n...\nssh_version = OpenSSH_7.9p1, OpenSSL 1.1.1a  20 Nov 2018 \n<\/code><\/pre>\n<ul>\n<li>In <code>cowrie\/honeyfs\/etc\/issue<\/code>, you can change the pre-login banner.<\/li>\n<li>In <code>cowrie\/honeyfs\/etc\/motd<\/code>, you can change the post-login message.<\/li>\n<li>In <code>cowrie\/honeyfs\/proc\/cpuinfo<\/code>, you can change the simulated CPU make-up of the system (e.g., number and type of processors).<\/li>\n<li>In <code>cowrie\/honeyfs\/proc\/meminfo<\/code>, you can change the simulated system\u2019s memory allocation and usage.<\/li>\n<li>In <code>cowrie\/honeyfs\/proc\/version<\/code>, you can change the Linux kernel and <code>gcc<\/code> versions.<\/li>\n<\/ul>\n<h3>8. Forward listening ports<a name=1.8><\/a><\/h3>\n<p>As we saw above, I configured Cowrie to accept SSH traffic over port 2022 and Telnet traffic over port 2023. In order to preserve the fidelity of the decoy, I opened ports 22 and 23 on the router and forward their traffic to ports 2022 and 2023, respectively, on the system hosting Cowrie.<\/p>\n<h3>9. Start Cowrie<a name=1.9><\/a><\/h3>\n<p>Start the honeypot by calling the <code>cowrie\/bin\/cowrie<\/code> executable that is part of the Cowrie distribution. An existing virtual environment is preserved if activated, otherwise Cowrie will attempt to load the environment called <code>cowrie-env<\/code> that we created earlier:<\/p>\n<pre><code>bin\/cowrie start\nActivating virtualenv &quot;cowrie-env&quot;\nStarting cowrie with extra arguments [] ... \n<\/code><\/pre>\n<h2>Part 2: The Data Repository<a name=2><\/a><\/h2>\n<p>I opted for MySQL running on Windows as the warehouse of my Cowrie-generated data because it&#8217;s a powerful and mature technology, offers nice API-based data querying and manipulation functionality, can be installed locally, and\u2009\u2014\u2009best of all\u2009\u2014\u2009is open-source and free.<\/p>\n<p>Cowrie offers a set of <a href=\"https:\/\/cowrie.readthedocs.io\/en\/latest\/sql\/README.html#\" target=\"_blank\" rel=\"noopener\">instructions<\/a> to send its data to a MySQL database that are significantly simpler than the process described on this page. Those instructions are a great starting point. Ultimately, I decided to go with a custom configuration to go beyond the bare-bones capabilities offered out-of-the-box by Cowrie. Specifically, I needed the ability to import a modified version of the Cowrie feed and a way to analyze the data through an API. I also needed to run MySQL on a separate Windows host. The instructions below provide that functionality.<\/p>\n<h3>1. Wrangle the Data<a name=2.1><\/a><\/h3>\n<p>You can use the Cowrie data stream as it comes from the honeypot in the form of daily JSON files. This is essentially an event-based feed, where every session or unwanted interaction with the honeypot is broken down into a series of events that constitute an attack: E.g., connect, attempt to login, execute commands on the shell, create or upload\/download files to the honeypot, disconnect, etc.<\/p>\n<p>I opted for an alternative view of the unwanted traffic based on sessions, not events. To do this, I translated the default Cowrie feed into a new one where the main unit of information, which will later be stored as a row in a SQL database, is the session, not the event. This required merging all the events corresponding to the same session into a single &quot;row&quot;. This work was part of the data normalization I did when I was using Splunk as my data repository; you can find the details <a href=\"\/blog\/index.php\/2023\/08\/05\/normalizing-the-cowrie-feed\/\">here<\/a>. As a reminder, data normalization is the process used to reorganize or \u2018massage\u2019 the data so that it\u2019s easier, faster to work with it. It involves reducing\/eliminating data redundancy and ensuring that the data dependencies are implemented in a way that takes into account the constraints of the underlying database that holds the data. This allows the data to be queried and analyzed more easily. Splunk does not use a conventional database, so the normalization that resulted in the new session-based feed was all that was needed. But MySQL, our new data store solution, utilizes a SQL database. For SQL data, normalization often requires splitting large tables into smaller ones and linking them through relationships. And that&#8217;s exactly what we had to do. To understand why, let&#8217;s look at a key aspect of out new session-based feed:<\/p>\n<ul>\n<li>\n<p>Some of the fields in a session are singletons, with just one value:<\/p>\n<table>\n<thead>\n<tr>\n<th>Field in Original Feed<\/th>\n<th>Field in New Feed<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><\/td>\n<td>dst_asn<\/td>\n<td>New &#8211; ASN of target IP address (i.e., that of the honeypot) provided by MaxMind<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>dst_country<\/td>\n<td>New &#8211; Country of target IP address provided by MaxMind<\/td>\n<\/tr>\n<tr>\n<td>dst_ip<\/td>\n<td>dst_ip<\/td>\n<td>Target IP address<\/td>\n<\/tr>\n<tr>\n<td>dst_port<\/td>\n<td>dst_port<\/td>\n<td>Target port<\/td>\n<\/tr>\n<tr>\n<td>duration<\/td>\n<td>duration<\/td>\n<td>Session duration<\/td>\n<\/tr>\n<tr>\n<td>input<\/td>\n<td>commands<\/td>\n<td>Sequence of commands executed on the shell<\/td>\n<\/tr>\n<tr>\n<td>protocol<\/td>\n<td>protocol<\/td>\n<td>Network protocol on which unwanted traffic was sent<\/td>\n<\/tr>\n<tr>\n<td>sensor<\/td>\n<td>sensor<\/td>\n<td>Name of honeypot<\/td>\n<\/tr>\n<tr>\n<td>session<\/td>\n<td>session<\/td>\n<td>Unique session identifier<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>src_asn<\/td>\n<td>New &#8211; ASN of source IP address (i.e., that of the attacker) provided by MaxMind<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>src_country<\/td>\n<td>New &#8211; Country of source IP address provided by MaxMind<\/td>\n<\/tr>\n<tr>\n<td>src_ip<\/td>\n<td>src_ip<\/td>\n<td>Source IP address<\/td>\n<\/tr>\n<tr>\n<td>src_port<\/td>\n<td>src_port<\/td>\n<td>Source port<\/td>\n<\/tr>\n<tr>\n<td>timestamp<\/td>\n<td>timestamp<\/td>\n<td>Same as in original feed<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>traffic_type<\/td>\n<td>New &#8211; Is the unwanted traffic a port <code>scan<\/code> or an <code>attack<\/code>?<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li>\n<p>Some of the fields are lists with multiple values:<\/p>\n<table>\n<thead>\n<tr>\n<th>Field in Original Feed<\/th>\n<th>Field in New Feed<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>(login) success|failed<\/td>\n<td>creds_login<\/td>\n<td>List of login status<\/td>\n<\/tr>\n<tr>\n<td>password<\/td>\n<td>attempts_passwords<\/td>\n<td>List of passwords attempted<\/td>\n<\/tr>\n<tr>\n<td>username<\/td>\n<td>attempts_usernames<\/td>\n<td>List of usernames attempted<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>attempts_credentials<\/td>\n<td>New &#8211; List of username\\0password credentials attempted<\/td>\n<\/tr>\n<tr>\n<td>hash<\/td>\n<td>malware_hashes<\/td>\n<td>List of malware hashes<\/td>\n<\/tr>\n<tr>\n<td>filename, outfile<\/td>\n<td>malware_sites<\/td>\n<td>List of malware URLs<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>malware_types<\/td>\n<td>New &#8211; List of malware sample types: <code>upload<\/code>|<code>download<\/code>|<code>redir<\/code>ection<\/td>\n<\/tr>\n<tr>\n<td>(tcpip) dst_ip<\/td>\n<td>tcpip_dst_ips<\/td>\n<td>List of TCP\/IP destination IP addresses<\/td>\n<\/tr>\n<tr>\n<td>(tcpip) dst_port<\/td>\n<td>tcpip_dst_ports<\/td>\n<td>List of TCP\/IP destination ports<\/td>\n<\/tr>\n<tr>\n<td>(tcpip) src_ip<\/td>\n<td>tcpip_src_ips<\/td>\n<td>List of TCP\/IP source IP addresses<\/td>\n<\/tr>\n<tr>\n<td>(tcpip) src_port<\/td>\n<td>tcpip_src_ports<\/td>\n<td>List of TCP\/IP source ports<\/td>\n<\/tr>\n<tr>\n<td>ttylog<\/td>\n<td>ttylog_names<\/td>\n<td>List of TTY log files capturing attack interactions<\/td>\n<\/tr>\n<tr>\n<td>sha256, url<\/td>\n<td>vtlookup_files<\/td>\n<td>List of VirusTotal scanned hashes or URLs<\/td>\n<\/tr>\n<tr>\n<td>is_new<\/td>\n<td>vtlookup_new<\/td>\n<td>List of VirusTotal &quot;is new&quot; information<\/td>\n<\/tr>\n<tr>\n<td>positives<\/td>\n<td>vtlookup_positives<\/td>\n<td>List of VirusTotal positives<\/td>\n<\/tr>\n<tr>\n<td>total<\/td>\n<td>vtlookup_scans<\/td>\n<td>List of VirusTotal scans<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<\/ul>\n<p>Single-valued fields are easy to handle and require no additional processing. They are implemented directly as columns in a SQL database table. But the SQL rules prohibit\/greatly restrict the use of lists in table columns. The solution to this challenge is to do SQL normalization of the data in the Cowrie feed as follows:<\/p>\n<ul>\n<li>Create one primary table <strong>sessions<\/strong> made of all the single-valued fields\/columns.<\/li>\n<li>Create one separate secondary table for each of the list-value fields. These tables hold the individual values of their respective lists lists. The secondary tables link to the primary table by means of a foreign key that references the <code>session<\/code> column in <strong>sessions<\/strong>. In all, I needed five secondary tables:\n<ul>\n<li><strong>attempts<\/strong> to keep the values of <code>attempt_credentials<\/code>, <code>attempts_logins<\/code>, <code>attempt_passwords<\/code>, and <code>attempt_usernames<\/code><\/li>\n<li><strong>malware<\/strong> to keep the values of <code>malware_hashes<\/code>, <code>malware_sites<\/code>, and <code>malware_types<\/code><\/li>\n<li><strong>tcpip<\/strong> to keep the values of <code>tcpip_dst_ips<\/code>, <code>tcpip_dst_ports<\/code>, <code>tcpip_src_ips<\/code>, and <code>tcpip_src_ports<\/code><\/li>\n<li><strong>ttylogs<\/strong> to keep the values of <code>ttylog_names<\/code><\/li>\n<li><strong>vtlookups<\/strong> to keep the values of <code>vtlookup_files<\/code>, <code>vtlookup_new<\/code>, <code>vtlookup_positives<\/code>, and <code>vtlookup_scans<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Notice that the <code>commands<\/code> field is a bit of an anomaly. Technically speaking, it&#8217;s a comma-separated list of Linux commands. But, as I use it as a single entity, I&#8217;m currently treating it as a single-valued long string field (i.e., as a column in the primary table). I may change this arrangement at a later time and implement the <code>commands<\/code> field as a separate secondary table by breaking it down to its individual Linux commands.<\/p>\n<p>Finally, I decided to leave out the new feed a few fields in the original data stream that add limited value to my research.<\/p>\n<h3>2. Install MySQL<a name=2.2><\/a><\/h3>\n<p>I installed the Windows version of MySQL from the <a href=\"https:\/\/dev.mysql.com\/downloads\/installer\/\" target=\"_blank\" rel=\"noopener\">MySQL Community Downloads<\/a> area. At the time of my install, the latest available version of the installer was 8.0.36. Installation is straightforward and self-explanatory:<\/p>\n<ul>\n<li>Start the MySQL installer for Windows.<\/li>\n<li>Choose the <em>Custom<\/em> setup type to be able to choose the MySQL products you want to install.<\/li>\n<li>In addition to the core <em>MySQL Server<\/em>, make sure that you install <em>MySQL Router<\/em> if you want to have API access to your data (more on this later). I chose to also install <em>MySQL Shell<\/em> and <em>MySQL Workbench<\/em> to have user interfaces to configure the database and manipulate the data. Workbench, Shell and Router are available under <em>Applications<\/em> in the installation dialog. I did not install the <em>MySQL Connectors<\/em> (ODBC, C++ and Python).<\/li>\n<li>For each of the selected products, multiple versions are available. I only installed the latest (8.0.36).<\/li>\n<li>After the installer downloads and installs the MySQL products you selected, it will ask you to configure <em>MySQL Server<\/em> and <em>MySQL Router<\/em>.<\/li>\n<li>The first configuration step is the selection of the server type and networking parameters. Three server configuration types are available, each with increasing memory requirements: <em>Development Computer<\/em>, <em>Server Computer<\/em>, and <em>Dedicated Computer<\/em>. I originally opted for <em>Development Computer<\/em> but, when I later experienced sluggish performance of my database, I changed to <em>Server Computer<\/em>. That made a big difference.<\/li>\n<li>I accepted the networking settings at their default values.<\/li>\n<li>After the server and networking configuration, you need to set your authentication method. Go with the recommended strong password encryption and set your MySQL root password.<\/li>\n<li>Next, configure the Windows service and the server file permissions by accepting the defaults.<\/li>\n<li>Finally, configure <em>MySQL Router<\/em>. Again, accept the default settings.<\/li>\n<\/ul>\n<p>After the above installation and configuration is done, the Windows MySQL service will start, and both the <em>MySQL Shell<\/em> and <em>MySQL Workbench<\/em> will automatically launch.<\/p>\n<h3>3. Create a MySQL database for Cowrie<a name=2.3><\/a><\/h3>\n<p>Next, you need to create a MySQL database to host your Cowrie data. The steps are as follows:<\/p>\n<ul>\n<li>If the <em>MySQL Workbench<\/em> application is not running, start it.<\/li>\n<li>Under <em>MySQL Connections<\/em>, you should see a default instance with the name &quot;Local instance MySQL80&quot;. Click on it and enter you MySQL sever root password.<\/li>\n<li>On the left hand-side menu, select the <em>Schemas<\/em> tab.<\/li>\n<li>Click on the <em>Create a new schema in the connected server<\/em> icon on the top taskbar; the icon looks like a database with a superimposed plus sign.<\/li>\n<li>Enter a name for the new schema (I named mine <code>cowrie_normalized<\/code>) and click the <em>Apply<\/em> button (twice), then <em>Finish<\/em>.<\/li>\n<li>Now, you need to create your database tables.<\/li>\n<li>Double-click the newly-created schema and click on the <em>Create a new table in the active schema in connected server<\/em> icon; the icon looks like a table with a plus sign.<\/li>\n<li>Enter a name for the new table; I entered <strong>sessions<\/strong> as the name of my primary table.<\/li>\n<li>Repeat the two steps above to create all other tables in your schema. In mine, and as we saw earlier, I make use of 5 additional secondary tables: <strong>attempts<\/strong>, <strong>malware<\/strong>, <strong>tcpip<\/strong>, <strong>ttylogs<\/strong>, and <strong>vtlookups<\/strong>.<\/li>\n<li>Then, you need to design your table by specifying the names and types of your columns (fields). The configuration of my tables looks something like this:<\/li>\n<\/ul>\n<pre><code>--\n-- Structure for primary table `sessions`\n--\n`session_id`   int          NOT NULL, UNIQUE, PRIMARY, AUTO_INCREMENT\n`session`      varchar(12)  NOT NULL, UNIQUE\n`commands`     longtext\n`dst_ip`       varchar(15)  NOT NULL\n`dst_port`     int          NOT NULL\n`dst_asn`      int          DEFAULT NUL\n`dst_country`  varchar(45)  DEFAULT NUL\n`duration`     float        NOT NULL\n`protocol`     varchar(6)   NOT NULL\n`sensor`       varchar(48)  NOT NULL\n`src_ip`       varchar(15)  NOT NULL\n`src_port`     int          NOT NULL\n`src_asn`      int          NOT NULL\n`src_country`  varchar(45)  NOT NULL\n`timestamp`    timestamp(6) NOT NULL, UNIQUE\n`traffic_type` varchar(6)   NOT NULL\n\n--\n-- Structure for secondary table `attempts`\n--\n`attempt_credentials` varchar(513) DEFAULT NULL\n`attempt_id`          int          NOT NULL, UNIQUE, PRIMARY, AUTO_INCREMENT\n`attempt_login`       varchar(5)   NOT NULL\n`attempt_password`    varchar(256) DEFAULT NULL\n`attempt_session`     varchar(12)  NOT NULL, UNIQUE, FOREIGN KEY REFERENCES `sessions` (`session`)\n`attempt_username`    varchar(256) NOT NULL\n\n--\n-- Structure for secondary table `malware`\n--\n`malware_hash`    varchar(64) NOT NULL\n`malware_id`      int         NOT NULL, UNIQUE, PRIMARY, AUTO_INCREMENT\n`malware_session` varchar(12) NOT NULL, FOREIGN KEY REFERENCES `sessions` (`session`)\n`malware_site`    varchar(45) DEFAULT NULL\n`malware_type`    varchar(8)  NOT NULL\n\n--\n-- Structure for secondary table `tcpip`\n--\n`tcpip_dst_ip`   varchar(256) DEFAULT NULL\n`tcpip_dst_port` int          DEFAULT  NULL\n`tcpip_id`       int          NOT NULL, UNIQUE, PRIMARY, AUTO_INCREMENT\n`tcpip_session`  varchar(12)  NOT NULL, FOREIGN KEY REFERENCES `sessions` (`session`)\n`tcpip_src_ip`   archar(256) DEFAULT NULL\n`tcpip_src_port` int          DEFAULT NULL\n\n--\n-- Structure for secondary table `ttylogs`\n--\n`ttylog_id`      int         NOT NULL, UNIQUE, PRIMARY, AUTO_INCREMENT\n`ttylog_name`    varchar(96) NOT NULL\n`ttylog_session` varchar(12) NOT NULL, FOREIGN KEY REFERENCES `sessions` (`session`)\n\n--\n-- Structure for secondary table `vtlookups`\n--\n`vtlookup_file`             varchar(64) NOT NULL\n`vtlookup_id`               int         NOT NULL, UNIQUE, PRIMARY, AUTO_INCREMENT\n`vtlookup_new`              varchar(5)  NOT NULL\n`vtlookup_positives`        int         NOT NULL\n`vtlookup_scans`            int         NOT NULL\n`vtlookup_session` varchar(12) NOT NULL, FOREIGN KEY REFERENCES `sessions` (`session`)\n<\/code><\/pre>\n<ul>\n<li>As you can see, there&#8217;s one  column for each of the fields in my session-based Cowrie feed. In addition to those, I created an <code>*_id<\/code> column to serve as the primary table key. I made it an auto-increment key and, as we&#8217;ll see later, added some logic to make sure that there are no gaps in the values.<\/li>\n<li>After you are satisfied with your table layout, click the <em>Apply<\/em> button (twice), then <em>Finish<\/em>.<\/li>\n<\/ul>\n<p>Congratulations! You now have a MySQL database ready to ingest your Cowrie data.<\/p>\n<h3>4. Install Apache, PHP and phpMyAdmin<a name=2.4><\/a><\/h3>\n<p>This step is not needed but if, like me, you want to have the ability to view your MySQL-hosted Cowrie data through a web interface and are used to configure MySQL with the good old <em>phpMyAdmin<\/em>, you may want to consider it. I find that the easiest way to install <em>phpMyAdmin<\/em> on Windows is by using an XAMPP (Cross Apache MariaDB PHP Perl) distribution by <a href=\"https:\/\/www.apachefriends.org\/\" target=\"_blank\" rel=\"noopener\">Apache Friends<\/a>. You can download their Windows installer from their website. At the time of my install, the latest available version of the Windows installer was 8.2.12. Installation is easy:<\/p>\n<ul>\n<li>Download and launch the Windows installer from the XAMPP downloads page.<\/li>\n<li>If you get a warning about Windows User Account Control (UAC) possiby interfering with the XAMPP installation, click <em>OK<\/em> to dismiss it.<\/li>\n<li>Select the components you want to install. I really don&#8217;t have much use for <em>Mercury Mail Server<\/em>, <em>Tomcat<\/em>, <em>Perl<\/em>, <em>Webalizer<\/em>, and <em>Fake Sendmail<\/em>, and I already have <em>MySQL<\/em> (from step 1 above) and <em>FileZilla FTP Server<\/em>. <em>Apache<\/em> and <em>PHP<\/em> are required and always installed, so I just selected <em>phpMyAdmin<\/em>.<\/li>\n<li>Accept all other installation defaults.<\/li>\n<li>If you get a Windows Defender Firewall dialog notifying you that the Apache HTTP server has been blocked, click <em>Allow access<\/em> to proceed.<\/li>\n<li>Click <em>Finish<\/em> to complete the installation.<\/li>\n<\/ul>\n<p>At this point, Apache, PHP and phpMyAdmin, together with the useful <em>XAMP Control Panel<\/em>, are installed on your system. We now need to tie together the earlier MySQL installation with the recent phpMyAdmin installation:<\/p>\n<ul>\n<li>Open the phpMyAdmin configuration file (by default, it should be <code>C:\\xampp\\phpMyAdmin\\config.inc.php<\/code>) and change the authentication settings to reflect your MySQL configuration:<\/li>\n<\/ul>\n<pre><code> \/* Authentication type and info *\/\n $cfg[&#039;Servers&#039;][$i][&#039;auth_type&#039;] = &#039;config&#039;;\n $cfg[&#039;Servers&#039;][$i][&#039;user&#039;] = &#039;root&#039;;\n $cfg[&#039;Servers&#039;][$i][&#039;password&#039;] = &#039;YOUR_MYSQL_SERVER_ROOT_PASSWORD_HERE&#039;;\n $cfg[&#039;Servers&#039;][$i][&#039;extension&#039;] = &#039;mysqli&#039;;\n $cfg[&#039;Servers&#039;][$i][&#039;AllowNoPassword&#039;] = true;\n $cfg[&#039;Lang&#039;] = &#039;&#039;;\n\n \/* User for advanced features *\/\n \/* $cfg[&#039;Servers&#039;][$i][&#039;controluser&#039;] = &#039;pma&#039;; *\/\n \/* $cfg[&#039;Servers&#039;][$i][&#039;controlpass&#039;] = &#039;&#039;; *\/<\/code><\/pre>\n<ul>\n<li>Add the following lines to the phpMyAdin configuration file and then save it:<\/li>\n<\/ul>\n<pre><code> \/* Gets rid of the following error messsage: The phpMyAdmin configuration storage is not completely configured, some extended features have been deactivated. *\/\n $cfg[&#039;PmaNoRelation_DisableWarning&#039;] = true;<\/code><\/pre>\n<ul>\n<li>\n<p>Launch the <em>XAMPP Control Panel<\/em>. If you followed the steps above, you should see that <em>MySQL<\/em>, <em>FileZilla<\/em>, <em>Mercury<\/em>, and <em>Tomcat<\/em> are grayed out (i.e., we did not install them); <em>Apache<\/em> is not.<\/p>\n<\/li>\n<li>\n<p>Click the <em>Start<\/em> button to start Apache.<\/p>\n<\/li>\n<li>\n<p>You can now open your favorite web browser and navigate to either <code>localhost<\/code> or <code>127.0.0.1<\/code>. That should open the XAMPP landing page on your local Apache server.<\/p>\n<\/li>\n<li>\n<p>Click on the <em>phpMyAdmin<\/em> link at the top of the page. You should see the <code>cowrie<\/code> schema and <code>normalized_traffic<\/code> table we created in step 2 above.<\/p>\n<\/li>\n<\/ul>\n<h3>5. Import the Cowrie data into the MySQL database<a name=2.5><\/a><\/h3>\n<p>Instead of a more elaborate message broker-based architecture, I implemented a simpler system taking advantage of the fact that Cowrie saves the traffic it collects in daily JSON files. I wrote a program that runs every day under the Windows Task Scheduler with the following high-level logic:<\/p>\n<ul>\n<li>Translate the native event-based Cowrie feed into a new session-based feed as described earlier.<\/li>\n<li>Convert the list of sessions from the session-based JSON to CSV and save it as six separate files, one per table: <strong>sessions.csv<\/strong>, <strong>attempts.csv<\/strong>, <strong>malware.csv<\/strong>, <strong>tcpip.csv<\/strong>, <strong>ttylogs.csv<\/strong>, and <strong>vtlookups.csv<\/strong>.<\/li>\n<li>Create scripts of SQL commands to do the data import. For example, the script <strong>sessions.sql<\/strong> that imports the data from <strong>sessions.csv<\/strong> into the <strong>sessions<\/strong> table looks like this:<\/li>\n<\/ul>\n<pre><code>SET @maxid = (SELECT COALESCE(MAX(session_id), 0) + 1 FROM cowrie.sessions);\nSET @sql = CONCAT(&#039;ALTER TABLE cowrie.sessions AUTO_INCREMENT = &#039;, @maxid);\nPREPARE st FROM @sql;\nEXECUTE st;\nLOAD DATA INFILE &#039;sessions.csv&#039;\nIGNORE INTO TABLE cowrie.sessions\nFIELDS TERMINATED BY &#039;,&#039;\nENCLOSED BY &#039;&quot;&#039;\nESCAPED BY &#039;&#039;\nLINES TERMINATED BY &#039;\\n&#039;\nIGNORE 1 LINES\n(session,commands,dst_ip,dst_port,dst_country,dst_asn,duration,protocol,sensor,src_ip,src_port,src_country,src_asn,timestamp,type);<\/code><\/pre>\n<p style=\"padding-left:4ch\">\nLet&#8217;s unpack this a a bit. The first four lines get the maximum value of the <code>session_id<\/code> column in our table, which corresponds to the most recently entered row (session). That value, incremented by 1, is then used as the next auto-increment value. If we don&#8217;t explicitly set it, it&#8217;s likely that MySQL will use an auto-increment value for the daily import data that&#8217;s higher (by more than one) than the auto-increment value of the last row from the previous day. In other words, the first four lines of our SQL script ensures that there are no gaps in the <code>id<\/code> values.\n<\/p>\n<p style=\"padding-left:4ch\">\nThe following SQL instructions import the Cowrie data in CSV format from the **sessions.csv** file. The <code>IGNORE<\/code> command instructs MySQL to continue importing data after finding an error (don&#8217;t worry, diagnostics will be generated in that case). Other instructions inform SQL that the characters to separate fields, enclosed field values, and terminate lines are <code>,<\/code>, <code>&quot;<\/code>, and <code>\\n<\/code>, respectively, and that no escaping of special characters is to be performed.\n<\/p>\n<p style=\"padding-left:4ch\">\nThe <code>IGNORE 1 LINES<\/code> instruction is provided so that MySQL skips the header row with the names of the fields, which are listed on the last line.\n<\/p>\n<ul>\n<li>\n<p>Import the CSV information into the MySQL database by executing the <strong>sessions.sql<\/strong> SQL script from the MySQL Shell:<\/p>\n<pre><code>mysqlsh -uroot -h localhost --sql < sessions.sql<\/code><\/pre>\n<\/li>\n<li>\n<p>Repeat the steps above to ingest the data in the other tables:<br \/>\n```<br \/>\nmysqlsh -uroot -h localhost --sql &lt; attempts.sql<br \/>\nmysqlsh -uroot -h localhost --sql &lt; malware.sql<br \/>\nmysqlsh -uroot -h localhost --sql &lt; tcpip.sql<br \/>\nmysqlsh -uroot -h localhost --sql &lt; ttylogs.sql<br \/>\nmysqlsh -uroot -h localhost --sql &lt; vtlookups.sql<br \/>\n```<\/p>\n<\/li>\n<\/ul>\n<p>Hooray! We now have our Cowrie data\u2009\u2014\u2009nicely normalized into sessions\u2009\u2014\u2009available in a MySQL database. Take a few minutes to celebrate.<\/p>\n<h3>6. Configure the MySQL REST Service (MRS)&lt;a name=2.6&gt;&lt;\/a&gt;<\/h3>\n<p>We now have a MySQL database that can be accessed through three different interfaces:<em> MySQL Shell<\/em>, <em>MySQL Workbench<\/em>, and browser-based <em>phpMyAdmin<\/em>. In this next step, we&#039;ll add a fourth one in the form of a Visual Studio Code extension. Although technically speaking this is not required, it will significantly simplify the process of setting up access to the Cowrie data on MySQL through a REST API. For this, we&#039;ll use the <em>MySQL REST Service<\/em> (MRS), a technology that enables fast and secure HTTPS access for your MySQL data. Implemented as a <em>MySQL Router<\/em> feature, MRS provides the ability to publish RESTful web services for interacting with the data stored in MySQL solutions. I use it to programmatically extract the Cowrie data stored in MySQL as part of my analytics workflow. Although MRS can be configured directly from the <em>MySQL Shell<\/em>, it&#039;s much easier to use the &lt;a href=&quot;<a href=\"https:\/\/code.visualstudio.com\/&amp;quot\">https:\/\/code.visualstudio.com\/&quot<\/a>; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;Visual Studio Code&lt;\/a&gt; extension. I&#039;m assuming that you are familiar with Visual Studio Code and use it for some or all your code editing activities, so we won&#039;t go over its installation, which is straightforward.<\/p>\n<ul>\n<li>Start by launching <em>Visual Studio Code<\/em>.<\/li>\n<li>Select the <em>Extensions<\/em> icon from the vertical tools menu on the left.<\/li>\n<li>Search for &quot;MySQL Shell for VS Code&quot;.<\/li>\n<li>Click the <em>Install<\/em> button next to the <em>MySQL Shell for VS Code<\/em> search result.<\/li>\n<li>If you get a dialog asking whether you trust the authors, click the <em>Trust Workspace &amp; Install<\/em> button to proceed.<\/li>\n<li>After the previous step, you should see a new icon with the image of Sakila, the MySQL dolphin, on the tools menu on the left. Click on it.<\/li>\n<li>Click <em>Next<\/em> a couple of times to install a certificate. If you get a <em>Windows Security Warning<\/em> dialog, click <em>Yes<\/em> to signal that you do want to install the certificate.<\/li>\n<li>You should see a message indicating that installation completed. Click the <em>Reload VS Code Window<\/em> to proceeed.<\/li>\n<li>Click the <em>\uff0b\u2009New Connection<\/em> button to create a connection to our MySQL database.<\/li>\n<li>On the <em>Database Connection Configuration<\/em> dialog, click on the <em>Basic<\/em> tab. Leave the <em>Database Type<\/em> as `MySQL` and <em>Host Name or IP Address<\/em> as `localhost`. Enter a name and details for the connection in the settings Caption and Description; I entered `Cowrie` and `Connection to the normalized Cowrie database`, respectively. Enter `root` as the <em>User Name<\/em> and the name of the schema we created in step 2 above (i.e., `cowrie_normalized`) as <em>Default Schema<\/em>. Leave all other settings at their default values and press <em>OK<\/em>.<\/li>\n<li>You should see the new <em>Cowrie<\/em> entry under <em>DATABASE COONNECTIONS<\/em> on the left. Click on it and enter the password to the `root` user.<\/li>\n<li>After authenticating, right-click on the <em>Cowrie<\/em> connection and select <em>Configure instance for MySQL REST Service Support<\/em>.<\/li>\n<li>On the <em>MySQL REST Service<\/em> dialog, accept all pre-defined settings and click <em>OK<\/em>.<\/li>\n<li>You should see a number of items under the <em>Cowrie<\/em> database connection. One of them is <em>MySQL Rest Service<\/em>. Right-click it and select <em>Add REST Service...<\/em>.<\/li>\n<li>On the<em> MySQL REST Service<\/em> configuration dialog, enter a path (i.e., endpoint) to the service; I entered `\/honeypot` for mine. Accept all other defaults and click <em>OK<\/em>. At this point, you should see the new endpoint under <em>Cowrie\\MySQL REST Service<\/em>.<\/li>\n<li>Now that we have configured our MySQL REST endpoint, we need to flow data through it. This is done by adding the MySQL database schema and tables to the REST service. Let&#039;s get to it.<\/li>\n<li>Right-click <em>DATABASE CONNECTIONS\\Cowrie\\cowrie_normalized<\/em> and select <em>Add Schema to REST Service<\/em>.<\/li>\n<li>On the <em>MySQL REST Schema<\/em> configuration dialog, enter a path\/endpoint under <em>REST Schema Path<\/em>. I chose `\/v1` to continue building the API path in a way that meets pseudo-standard naming conventions for RESTful APIs. Click <em>OK<\/em>.<\/li>\n<li>Right-click <em>DATABASE CONNECTIONS\\Cowrie\\cowrie_normalized\\Tables\\sessions<\/em> and select Add Database Object to REST Service.<\/li>\n<li>On the <em>MySQL REST Object<\/em> configuration dialog, enter a path\/endpoint under <em>REST Object Path<\/em>. I chose `sessions`. Uncheck the <em>Auth. Required<\/em> option. The configuration dialog will show the mapping of the MySQL table fields to the MySQL REST API names. You will notice that 1) both the primary and secondary tables are available for mapping to the API, and 2) the API objects are named using the camelCase naming convention.<\/li>\n<li>Repeat the two steps above to create endpoints `\/attempts`, `\/malware`, `\/tcpip`, `\/ttylogs`, and `\/vtlookups` connected to secondary tables <strong>attempts<\/strong>, <strong>malware<\/strong>, <strong>tcpip<\/strong>, <strong>ttylogs<\/strong>, and <strong>vtlookups<\/strong>, respectively.<\/li>\n<li>The result of the actions above is the following mapping:<\/li>\n<\/ul>\n<pre><code>Primary Table \"sessions\"        API\n------------------------        ---\ncommands                        commands\ndst_asn                         dstAsn\ndst_country                     dstCountry\ndst_ip                          dstIp\ndst_port                        dstPort\nduration                        duration\nid                              id\nprotocol                        protocol\nsensor                          sensor\nsession                         session\nsrc_asn                         srcAsn\nsrc_country                     srcCountry\nsrc_ip                          srcIp\nsrc_port                        srcPort\ntimestamp                       timestamp\ntraffic_type                    trafficType\n\nSecondary Table \"attempts\"      API\n--------------------------      ---\nattempt_credentials             attemptCredentials\nattempt_id                      attemptId\nattempt_login                   attemptLogin\nattempt_password                attemptPassword\nattempt_session                 credentialSession\nattempt_username                attemptUsername\n\nSecondary Table \"malware\"       API\n-------------------------       ---\nmalware_hash                    malwareHash\nmalware_id                      malwareId\nmalware_session                 malwareSession\nmalware_site                    malwareSite\nmalware_type                    malwareType\n\nSecondary Table \"tcpip\"         API\n-----------------------         ---\ntcpip_dst_ip                    tcpipDstIP\ntcpip_dst_port                  tcpipDstPort\ntcpip_id                        tcpipId\ntcpip_session                   tcpipSession\ntcpip_src_ip                    tcpipSrcIp\ntcpip_src_port                  tcpipSrcPort\n\nSecondary Table \"ttylogs\"       API\n-------------------------       ---\nttylog_id                       ttylogId\nttylog_name                     ttylogName\nttylog_session                  ttylogSession\n\nSecondary Table \"vtlookups\"     API\n---------------------------     ---\nvtlookup_file                   vtlookupFile\nvtlookup_id                     vtlookupId\nvtlookup_new                    vtlookupNew\nvtlookup_positives              vtlookupPositives\nvtlookup_scans                  vtlookupScans\nvtlookup_session                vtlookupSession<\/code><\/pre>\n<p>&lt;p style=&quot;padding-left:4ch&quot;&gt;<br \/>\nOn the same dialog, you have the option to choose what fields get exposed through the API. I chose the default of all. Finally, press <em>OK<\/em>. At this point, the REST endpoints accessing our Cowrie data is ready to be used.<br \/>\n&lt;\/p&gt;<\/p>\n<ul>\n<li>Right-click <em>DATABASE CONNECTIONS\\Cowrie\\MySQL REST Service<\/em> and select <em>Bootstrap Local MySQL Router Instance<\/em>. This will start  <em>MySQL Router<\/em> and ask you to enter a JSON web token (JWT) passphrase. This JWT secret always needs to be the same for every <em>MySQL Router<\/em> instance when deploying multiple routers for the same MySQL solution\/database.<\/li>\n<li>Finally, right-click <em>DATABASE CONNECTIONS\\Cowrie\\MySQL REST Service<\/em> and select <em>Start Local MySQL Router Instance<\/em>.<\/li>\n<\/ul>\n<p>We are done! Our data should now be available at the `<a href=\"https:\/\/localhost:8443\/honeypot\/v1&amp;#x60\">https:\/\/localhost:8443\/honeypot\/v1&#x60<\/a>; URI through the following endpoints:<\/p>\n<ul>\n<li>`\/sessions`<\/li>\n<li>`\/attempts`<\/li>\n<li>`\/malware`<\/li>\n<li>`\/tcpip`<\/li>\n<li>`\/ttylogs`<\/li>\n<li>`\/vtlookups` <\/li>\n<\/ul>\n<h3>7. Verify the MRS Core API&lt;a name=2.7&gt;&lt;\/a&gt;<\/h3>\n<p>As the final step, we are going to test that the Cowrie data we imported into our MySQL database is indeed available through the endpoints.<\/p>\n<ul>\n<li>From <em>Visual Studio Code<\/em>, right-click <em>DATABASE CONNECTIONS\\Cowrie\\MySQL REST Service\\honeypot\\v1\\sessions<\/em> and select <em>Open REST Object Request Path in Web Browser<\/em>.<\/li>\n<\/ul>\n<p>A new tab should open on your browser displaying the first 25 Cowrie sessions\/attacks in JSON format.<\/p>\n<p><strong>NOTE<\/strong>: For this to work, make sure that a <em>MySQL Router<\/em> instance is running. You can start<em> MySQL Router<\/em> from a command line terminal with the aide of the following Bash script:<\/p>\n<pre><code>#!\/bin\/bash\n\ndeclare +i -r MSRCONF=\"c:\/Users\/YOUR_WINDOWS_USER_ID\/AppData\/Roaming\/MySQL\/mysqlsh-gui\/plugin_data\/mrs_plugin\/router_configs\/1\/mysqlrouter\"\ndeclare +i -r MSRPATH=\"c:\/Users\/YOUR_WINDOWS_USER_ID\/.vscode\/extensions\/oracle.mysql-shell-for-vs-code-1.14.2-win32-x64\/router\"\ndeclare +i    pid=\"\"\nexport        PATH=\"${PATH}:${MSRPATH}\/lib\"\nexport        ROUTER_PID=\"${MSRCONF}\/mysqlrouter.pid\"\n\npid=<code>ps -W | grep mysqlrouter | awk &#039;{print $1}&#039;<\/code>\nif [ ! \"${pid}\" = \"\" ]\nthen\n   echo \"MySQL Router is already running with PID = ${pid}\"\n   exit 0\nelse\n   \"${MSRPATH}\/bin\/mysqlrouter.exe\" -c \"${MSRCONF}\/mysqlrouter.conf\" > \/dev\/null 2>&1 &\n    disown %-\n   pid=<code>ps -W | grep mysqlrouter | awk &#039;{print $1}&#039;<\/code>\n   if [ ! \"${pid}\" = \"\" ]\n   then\n      echo \"MySQL Router is running with PID = ${pid}\"\n      exit 0\n   else\n      echo \"Error: MySQL Router could not be started\"\n      exit 1\n   fi\nfi<\/code><\/pre>\n<p>For completeness, you can stop MySQL Router with the following script:<\/p>\n<pre><code>#!\/bin\/bash\n\ndeclare +i -r MSRCONF=\"c:\/Users\/YOUR_WINDOWS_USER_ID\/AppData\/Roaming\/MySQL\/mysqlsh-gui\/plugin_data\/mrs_plugin\/router_configs\/1\/mysqlrouter\"\ndeclare +i    pid=\"\"\n\npid=<code>ps -W | grep mysqlrouter | awk &#039;{print $1}&#039;<\/code>\nif [ ! \"${pid}\" = \"\" ]\nthen\n   echo \"MySQL Router is running with PID = ${pid}\"\n   env kill -f ${pid} > \/dev\/null 2>&1\n    pid=<code>ps -W | grep mysqlrouter | awk &#039;{print $1}&#039;<\/code>\n    if [ \"${pid}\" = \"\" ]\n   then\n      rm -f ${MSRCONF}\/mysqlrouter.pid\n      echo \"MySQL Router is no longer running\"\n      exit 0\n   else\n      echo \"Error: MySQL Router could not be stopped\"\n      exit 1\n   fi\nelse\n   echo \"MySQL Router is not running\"\n   exit 0\nfi<\/code><\/pre>\n<p>We can also check the API using the `curl` command from a terminal window or shell script. The following are examples of `curl` command invocations that extract Cowrie data from the MySQL database using the MySQL REST API:<\/p>\n<pre><code># Show the first 25 Cowrie sessions\ncurl -s -k 'https:\/\/localhost:8443\/honeypot\/v1\/sessions' | jq\n\n# Show the first 25 scans, server filering\ncurl -s -k 'https:\/\/localhost:8443\/honeypot\/v1\/sessions' -G --data-urlencode 'q={\"type\":\"scan\"}' | jq\n\n# Show the first 25 attacks, server filtering\ncurl -s -k 'https:\/\/localhost:8443\/honeypot\/v1\/sessions' -G --data-urlencode 'q={\"type\":\"attack\"}' | jq\n\n# Show the first 25 attacks with successful logins, server filtering\ncurl -s -k 'https:\/\/localhost:8443\/honeypot\/v1\/attempts' -G --data-urlencode 'q={\"login\":\"true\"}' | jq\n\n# Show the first 25 attacks with successful logins, client filtering\ncurl -s -k 'https:\/\/localhost:8443\/honeypot\/v1\/sessions' | jq '.items[] | select(.credentials?[]?.login == \"true\")'\n\n# Show the first 25 attacks with unsuccessful logins, client filtering\ncurl -s -k 'https:\/\/localhost:8443\/honeypot\/v1\/sessions' | jq '.items[] | select(.credentials? | length > 0 and all(.login == \"false\"))'\n\n# Show sessions 10,001 to 10,500, server filtering\ncurl -s -k 'https:\/\/localhost:8443\/honeypot\/v1\/sessions' -G --data-urlencode 'offset=10000&limit=500' | jq\n\n# Show session # 12,345, server filtering\ncurl -s -k 'https:\/\/localhost:8443\/honeypot\/v1\/sessions' -G --data-urlencode 'q={\"id\":12345}' | jq\n\n# Show the first 25 sessions that originated from IP addresses operating in Spain, server filtering\ncurl -s -k 'https:\/\/localhost:8443\/honeypot\/v1\/sessions' -G --data-urlencode 'q={\"srcCountry\":\"Spain\"}' | jq\n\n# Show the first 25 sessions that originated from IP addresses operating in either Singapore or France, server filtering\ncurl -s -k 'https:\/\/localhost:8443\/honeypot\/v1\/sessions' -G --data-urlencode 'q={\"$or\":[{\"srcCountry\":\"Singapore\"},{\"srcCountry\":\"France\"}]}' | jq<\/code><\/pre>\n<p>And that&#039;s all. We covered a lot of ground and should be ready to do some serious digging into the unwanted traffic information collected by our Cowrie honeypot. Happy threat hunting!<\/p>\n<h3>Reference: The MRS JSON filter grammar&lt;a name=2.8&gt;&lt;\/a&gt;<\/h3>\n<p>The last example in the previous section shows how to combine filter clauses with a logical operator (in the example, `$or`). The complete specification of the JSON filter grammar supported by the MySQL REST Service is as follows:<\/p>\n<pre><code>FilterObject { orderby , asof, wmembers }\n\n orderby\n    \"$orderby\": {orderByMembers}\n\n orderByMembers\n    orderByProperty\n    orderByProperty , orderByMembers\n\n orderByProperty\n    columnName : sortingValue\n\n sortingValue\n    \"ASC\"\n    \"DESC\"\n    \"-1\"\n    \"1\"\n    -1\n    1\n\n asof\n    \"$asof\": date\n    \"$asof\": \"datechars\"\n    \"$asof\": scn\n    \"$asof\": +int\n\n wmembers\n    wpair\n    wpair , wmembers\n\n wpair\n    columnProperty\n    complexOperatorProperty\n\n columnProperty\n    columnName : string\n    columnName : number\n    columnName : date\n    columnName : simpleOperatorObject\n\n columnName : complexOperatorObject\n    columnName : [complexValues]\n\n columnName\n    \"\\p{Alpha}[[\\p{Alpha}]]([[\\p{Alnum}]#$_])*$\"\n\n complexOperatorProperty\n    complexKey : [complexValues]\n    complexKey : simpleOperatorObject \n\n complexKey\n    \"$and\"\n    \"$or\"\n\n complexValues\n    complexValue , complexValues\n\n complexValue\n    simpleOperatorObject\n    complexOperatorObject\n    columnObject\n\n columnObject\n    {columnProperty}\n\n simpleOperatorObject\n    {simpleOperatorProperty}\n\n complexOperatorObject\n    {complexOperatorProperty}\n\n simpleOperatorProperty\n    \"$eq\" : string | number | date\n    \"$ne\" : string | number | date\n    \"$lt\" :  number | date\n    \"$lte\" : number | date\n    \"$gt\" : number | date\n    \"$gte\" : number | date\n    \"$instr\" : string \n    \"$ninstr\" : string\n    \"$like\" : string\n    \"$null\" : null\n    \"$notnull\" : null\n    \"$between\" : betweenValue\n    \"$like\": string\n\n betweenValue\n    [null , betweenNotNull]\n    [betweenNotNull , null]\n    [betweenRegular , betweenRegular]\n\n betweenNotNull\n    number\n    date\n\n betweenRegular\n    string\n    number\n    date\n\n string \n    JSONString\n\n number\n    JSONNumber\n\n date\n    {\"$date\":\"datechars\"}\n\n scn\n    {\"$scn\": +int}\n\n datechars is an RFC3339 date format in UTC (Z)\n\n JSONString\n    \"\"\n    \" chars \"\n\n chars\n    char\n    char chars\n\n char\n    any-Unicode-character except-\"-or-\\-or-control-character\n    \\\"\n    \\\\\n    \\\/\n    \\b\n    \\f\n    \\n\n    \\r\n    \\t\n    \\u four-hex-digits\n\n JSONNumber\n    int\n    int frac\n    int exp\n    int frac exp\n\n int\n    digit\n    digit1-9 digits \n    - digit\n    - digit1-9 digits\n\n frac\n    . digits\n\n exp\n    e digits\n\n digits\n    digit\n    digit digits\n\n e\n    e\n    e+\n    e-\n    E\n    E+\n    E-<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Back on July 22, 2023, I wrote a blog post describing how to install the Cowrie honeypot and use Splunk Enterprise as its data repository. Although proprietary, Splunk is free if you keep your data volume under 500 MB per day. That solution worked fine for about six months, but then one day the honeypot [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-261","post","type-post","status-publish","format-standard","hentry","category-cyber"],"aioseo_notices":[],"aioseo_head":"\n\t\t<!-- All in One SEO 4.9.8 - aioseo.com -->\n\t<meta name=\"description\" content=\"Back on July 22, 2023, I wrote a blog post describing how to install the Cowrie honeypot and use Splunk Enterprise as its data repository. Although proprietary, Splunk is free if you keep your data volume under 500 MB per day. That solution worked fine for about six months, but then one day the honeypot\" \/>\n\t<meta name=\"robots\" content=\"max-image-preview:large\" \/>\n\t<meta name=\"author\" content=\"Rufo De Francisco\"\/>\n\t<link rel=\"canonical\" href=\"https:\/\/defrancisco.us\/blog\/index.php\/2024\/01\/13\/honeypot-installation-revisited-ditching-splunk-for-mysql\/\" \/>\n\t<meta name=\"generator\" content=\"All in One SEO (AIOSEO) 4.9.8\" \/>\n\t\t<meta property=\"og:locale\" content=\"en_US\" \/>\n\t\t<meta property=\"og:site_name\" content=\"A Pot of Honey - Cybersecurity insights from a honeypot operator.\" \/>\n\t\t<meta property=\"og:type\" content=\"article\" \/>\n\t\t<meta property=\"og:title\" content=\"Honeypot Installation Revisited: Ditching Splunk for MySQL - A Pot of Honey\" \/>\n\t\t<meta property=\"og:description\" content=\"Back on July 22, 2023, I wrote a blog post describing how to install the Cowrie honeypot and use Splunk Enterprise as its data repository. Although proprietary, Splunk is free if you keep your data volume under 500 MB per day. That solution worked fine for about six months, but then one day the honeypot\" \/>\n\t\t<meta property=\"og:url\" content=\"https:\/\/defrancisco.us\/blog\/index.php\/2024\/01\/13\/honeypot-installation-revisited-ditching-splunk-for-mysql\/\" \/>\n\t\t<meta property=\"article:published_time\" content=\"2024-01-13T16:46:28+00:00\" \/>\n\t\t<meta property=\"article:modified_time\" content=\"2025-01-13T17:44:45+00:00\" \/>\n\t\t<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n\t\t<meta name=\"twitter:site\" content=\"@rjdefrancisco\" \/>\n\t\t<meta name=\"twitter:title\" content=\"Honeypot Installation Revisited: Ditching Splunk for MySQL - A Pot of Honey\" \/>\n\t\t<meta name=\"twitter:description\" content=\"Back on July 22, 2023, I wrote a blog post describing how to install the Cowrie honeypot and use Splunk Enterprise as its data repository. Although proprietary, Splunk is free if you keep your data volume under 500 MB per day. That solution worked fine for about six months, but then one day the honeypot\" \/>\n\t\t<meta name=\"twitter:creator\" content=\"@rjdefrancisco\" \/>\n\t\t<script type=\"application\/ld+json\" class=\"aioseo-schema\">\n\t\t\t{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"BlogPosting\",\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/index.php\\\/2024\\\/01\\\/13\\\/honeypot-installation-revisited-ditching-splunk-for-mysql\\\/#blogposting\",\"name\":\"Honeypot Installation Revisited: Ditching Splunk for MySQL - A Pot of Honey\",\"headline\":\"Honeypot Installation Revisited: Ditching Splunk for MySQL\",\"author\":{\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/index.php\\\/author\\\/rjdefrancisco\\\/#author\"},\"publisher\":{\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/#person\"},\"image\":{\"@type\":\"ImageObject\",\"url\":\"\\\/images\\\/blog\\\/hpsetup_e.webp\",\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/index.php\\\/2024\\\/01\\\/13\\\/honeypot-installation-revisited-ditching-splunk-for-mysql\\\/#articleImage\"},\"datePublished\":\"2024-01-13T08:46:28-08:00\",\"dateModified\":\"2025-01-13T09:44:45-08:00\",\"inLanguage\":\"en-US\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/index.php\\\/2024\\\/01\\\/13\\\/honeypot-installation-revisited-ditching-splunk-for-mysql\\\/#webpage\"},\"isPartOf\":{\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/index.php\\\/2024\\\/01\\\/13\\\/honeypot-installation-revisited-ditching-splunk-for-mysql\\\/#webpage\"},\"articleSection\":\"cyber\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/index.php\\\/2024\\\/01\\\/13\\\/honeypot-installation-revisited-ditching-splunk-for-mysql\\\/#breadcrumblist\",\"itemListElement\":[{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog#listItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/defrancisco.us\\\/blog\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/index.php\\\/category\\\/cyber\\\/#listItem\",\"name\":\"cyber\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/index.php\\\/category\\\/cyber\\\/#listItem\",\"position\":2,\"name\":\"cyber\",\"item\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/index.php\\\/category\\\/cyber\\\/\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/index.php\\\/2024\\\/01\\\/13\\\/honeypot-installation-revisited-ditching-splunk-for-mysql\\\/#listItem\",\"name\":\"Honeypot Installation Revisited: Ditching Splunk for MySQL\"},\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog#listItem\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/index.php\\\/2024\\\/01\\\/13\\\/honeypot-installation-revisited-ditching-splunk-for-mysql\\\/#listItem\",\"position\":3,\"name\":\"Honeypot Installation Revisited: Ditching Splunk for MySQL\",\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/index.php\\\/category\\\/cyber\\\/#listItem\",\"name\":\"cyber\"}}]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/#person\",\"name\":\"Rufo De Francisco\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/index.php\\\/2024\\\/01\\\/13\\\/honeypot-installation-revisited-ditching-splunk-for-mysql\\\/#personImage\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/93022ba0aad01624e397f47cb16ba8949884390a8cc795305de2cfa00463ceb6?s=96&d=mm&r=g\",\"width\":96,\"height\":96,\"caption\":\"Rufo De Francisco\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/index.php\\\/author\\\/rjdefrancisco\\\/#author\",\"url\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/index.php\\\/author\\\/rjdefrancisco\\\/\",\"name\":\"Rufo De Francisco\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/index.php\\\/2024\\\/01\\\/13\\\/honeypot-installation-revisited-ditching-splunk-for-mysql\\\/#authorImage\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/93022ba0aad01624e397f47cb16ba8949884390a8cc795305de2cfa00463ceb6?s=96&d=mm&r=g\",\"width\":96,\"height\":96,\"caption\":\"Rufo De Francisco\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/index.php\\\/2024\\\/01\\\/13\\\/honeypot-installation-revisited-ditching-splunk-for-mysql\\\/#webpage\",\"url\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/index.php\\\/2024\\\/01\\\/13\\\/honeypot-installation-revisited-ditching-splunk-for-mysql\\\/\",\"name\":\"Honeypot Installation Revisited: Ditching Splunk for MySQL - A Pot of Honey\",\"description\":\"Back on July 22, 2023, I wrote a blog post describing how to install the Cowrie honeypot and use Splunk Enterprise as its data repository. Although proprietary, Splunk is free if you keep your data volume under 500 MB per day. That solution worked fine for about six months, but then one day the honeypot\",\"inLanguage\":\"en-US\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/#website\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/index.php\\\/2024\\\/01\\\/13\\\/honeypot-installation-revisited-ditching-splunk-for-mysql\\\/#breadcrumblist\"},\"author\":{\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/index.php\\\/author\\\/rjdefrancisco\\\/#author\"},\"creator\":{\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/index.php\\\/author\\\/rjdefrancisco\\\/#author\"},\"datePublished\":\"2024-01-13T08:46:28-08:00\",\"dateModified\":\"2025-01-13T09:44:45-08:00\"},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/\",\"name\":\"A Pot of Honey\",\"description\":\"Cybersecurity insights from a honeypot operator.\",\"inLanguage\":\"en-US\",\"publisher\":{\"@id\":\"https:\\\/\\\/defrancisco.us\\\/blog\\\/#person\"}}]}\n\t\t<\/script>\n\t\t<!-- All in One SEO -->\n\n","aioseo_head_json":{"title":"Honeypot Installation Revisited: Ditching Splunk for MySQL - A Pot of Honey","description":"Back on July 22, 2023, I wrote a blog post describing how to install the Cowrie honeypot and use Splunk Enterprise as its data repository. Although proprietary, Splunk is free if you keep your data volume under 500 MB per day. That solution worked fine for about six months, but then one day the honeypot","canonical_url":"https:\/\/defrancisco.us\/blog\/index.php\/2024\/01\/13\/honeypot-installation-revisited-ditching-splunk-for-mysql\/","robots":"max-image-preview:large","keywords":"","webmasterTools":{"miscellaneous":""},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"BlogPosting","@id":"https:\/\/defrancisco.us\/blog\/index.php\/2024\/01\/13\/honeypot-installation-revisited-ditching-splunk-for-mysql\/#blogposting","name":"Honeypot Installation Revisited: Ditching Splunk for MySQL - A Pot of Honey","headline":"Honeypot Installation Revisited: Ditching Splunk for MySQL","author":{"@id":"https:\/\/defrancisco.us\/blog\/index.php\/author\/rjdefrancisco\/#author"},"publisher":{"@id":"https:\/\/defrancisco.us\/blog\/#person"},"image":{"@type":"ImageObject","url":"\/images\/blog\/hpsetup_e.webp","@id":"https:\/\/defrancisco.us\/blog\/index.php\/2024\/01\/13\/honeypot-installation-revisited-ditching-splunk-for-mysql\/#articleImage"},"datePublished":"2024-01-13T08:46:28-08:00","dateModified":"2025-01-13T09:44:45-08:00","inLanguage":"en-US","mainEntityOfPage":{"@id":"https:\/\/defrancisco.us\/blog\/index.php\/2024\/01\/13\/honeypot-installation-revisited-ditching-splunk-for-mysql\/#webpage"},"isPartOf":{"@id":"https:\/\/defrancisco.us\/blog\/index.php\/2024\/01\/13\/honeypot-installation-revisited-ditching-splunk-for-mysql\/#webpage"},"articleSection":"cyber"},{"@type":"BreadcrumbList","@id":"https:\/\/defrancisco.us\/blog\/index.php\/2024\/01\/13\/honeypot-installation-revisited-ditching-splunk-for-mysql\/#breadcrumblist","itemListElement":[{"@type":"ListItem","@id":"https:\/\/defrancisco.us\/blog#listItem","position":1,"name":"Home","item":"https:\/\/defrancisco.us\/blog","nextItem":{"@type":"ListItem","@id":"https:\/\/defrancisco.us\/blog\/index.php\/category\/cyber\/#listItem","name":"cyber"}},{"@type":"ListItem","@id":"https:\/\/defrancisco.us\/blog\/index.php\/category\/cyber\/#listItem","position":2,"name":"cyber","item":"https:\/\/defrancisco.us\/blog\/index.php\/category\/cyber\/","nextItem":{"@type":"ListItem","@id":"https:\/\/defrancisco.us\/blog\/index.php\/2024\/01\/13\/honeypot-installation-revisited-ditching-splunk-for-mysql\/#listItem","name":"Honeypot Installation Revisited: Ditching Splunk for MySQL"},"previousItem":{"@type":"ListItem","@id":"https:\/\/defrancisco.us\/blog#listItem","name":"Home"}},{"@type":"ListItem","@id":"https:\/\/defrancisco.us\/blog\/index.php\/2024\/01\/13\/honeypot-installation-revisited-ditching-splunk-for-mysql\/#listItem","position":3,"name":"Honeypot Installation Revisited: Ditching Splunk for MySQL","previousItem":{"@type":"ListItem","@id":"https:\/\/defrancisco.us\/blog\/index.php\/category\/cyber\/#listItem","name":"cyber"}}]},{"@type":"Person","@id":"https:\/\/defrancisco.us\/blog\/#person","name":"Rufo De Francisco","image":{"@type":"ImageObject","@id":"https:\/\/defrancisco.us\/blog\/index.php\/2024\/01\/13\/honeypot-installation-revisited-ditching-splunk-for-mysql\/#personImage","url":"https:\/\/secure.gravatar.com\/avatar\/93022ba0aad01624e397f47cb16ba8949884390a8cc795305de2cfa00463ceb6?s=96&d=mm&r=g","width":96,"height":96,"caption":"Rufo De Francisco"}},{"@type":"Person","@id":"https:\/\/defrancisco.us\/blog\/index.php\/author\/rjdefrancisco\/#author","url":"https:\/\/defrancisco.us\/blog\/index.php\/author\/rjdefrancisco\/","name":"Rufo De Francisco","image":{"@type":"ImageObject","@id":"https:\/\/defrancisco.us\/blog\/index.php\/2024\/01\/13\/honeypot-installation-revisited-ditching-splunk-for-mysql\/#authorImage","url":"https:\/\/secure.gravatar.com\/avatar\/93022ba0aad01624e397f47cb16ba8949884390a8cc795305de2cfa00463ceb6?s=96&d=mm&r=g","width":96,"height":96,"caption":"Rufo De Francisco"}},{"@type":"WebPage","@id":"https:\/\/defrancisco.us\/blog\/index.php\/2024\/01\/13\/honeypot-installation-revisited-ditching-splunk-for-mysql\/#webpage","url":"https:\/\/defrancisco.us\/blog\/index.php\/2024\/01\/13\/honeypot-installation-revisited-ditching-splunk-for-mysql\/","name":"Honeypot Installation Revisited: Ditching Splunk for MySQL - A Pot of Honey","description":"Back on July 22, 2023, I wrote a blog post describing how to install the Cowrie honeypot and use Splunk Enterprise as its data repository. Although proprietary, Splunk is free if you keep your data volume under 500 MB per day. That solution worked fine for about six months, but then one day the honeypot","inLanguage":"en-US","isPartOf":{"@id":"https:\/\/defrancisco.us\/blog\/#website"},"breadcrumb":{"@id":"https:\/\/defrancisco.us\/blog\/index.php\/2024\/01\/13\/honeypot-installation-revisited-ditching-splunk-for-mysql\/#breadcrumblist"},"author":{"@id":"https:\/\/defrancisco.us\/blog\/index.php\/author\/rjdefrancisco\/#author"},"creator":{"@id":"https:\/\/defrancisco.us\/blog\/index.php\/author\/rjdefrancisco\/#author"},"datePublished":"2024-01-13T08:46:28-08:00","dateModified":"2025-01-13T09:44:45-08:00"},{"@type":"WebSite","@id":"https:\/\/defrancisco.us\/blog\/#website","url":"https:\/\/defrancisco.us\/blog\/","name":"A Pot of Honey","description":"Cybersecurity insights from a honeypot operator.","inLanguage":"en-US","publisher":{"@id":"https:\/\/defrancisco.us\/blog\/#person"}}]},"og:locale":"en_US","og:site_name":"A Pot of Honey - Cybersecurity insights from a honeypot operator.","og:type":"article","og:title":"Honeypot Installation Revisited: Ditching Splunk for MySQL - A Pot of Honey","og:description":"Back on July 22, 2023, I wrote a blog post describing how to install the Cowrie honeypot and use Splunk Enterprise as its data repository. Although proprietary, Splunk is free if you keep your data volume under 500 MB per day. That solution worked fine for about six months, but then one day the honeypot","og:url":"https:\/\/defrancisco.us\/blog\/index.php\/2024\/01\/13\/honeypot-installation-revisited-ditching-splunk-for-mysql\/","article:published_time":"2024-01-13T16:46:28+00:00","article:modified_time":"2025-01-13T17:44:45+00:00","twitter:card":"summary_large_image","twitter:site":"@rjdefrancisco","twitter:title":"Honeypot Installation Revisited: Ditching Splunk for MySQL - A Pot of Honey","twitter:description":"Back on July 22, 2023, I wrote a blog post describing how to install the Cowrie honeypot and use Splunk Enterprise as its data repository. Although proprietary, Splunk is free if you keep your data volume under 500 MB per day. That solution worked fine for about six months, but then one day the honeypot","twitter:creator":"@rjdefrancisco"},"aioseo_meta_data":{"post_id":"261","title":null,"description":null,"keywords":null,"keyphrases":{"focus":{"keyphrase":"","score":0,"analysis":{"keyphraseInTitle":{"score":0,"maxScore":9,"error":1}}},"additional":[]},"primary_term":null,"canonical_url":null,"og_title":null,"og_description":null,"og_object_type":"default","og_image_type":"default","og_image_url":null,"og_image_width":null,"og_image_height":null,"og_image_custom_url":null,"og_image_custom_fields":null,"og_video":"","og_custom_url":null,"og_article_section":null,"og_article_tags":null,"twitter_use_og":false,"twitter_card":"default","twitter_image_type":"default","twitter_image_url":null,"twitter_image_custom_url":null,"twitter_image_custom_fields":null,"twitter_title":null,"twitter_description":null,"schema":{"blockGraphs":[],"customGraphs":[],"default":{"data":{"Article":[],"Course":[],"Dataset":[],"FAQPage":[],"Movie":[],"Person":[],"Product":[],"ProductReview":[],"Car":[],"Recipe":[],"Service":[],"SoftwareApplication":[],"WebPage":[]},"graphName":"BlogPosting","isEnabled":true},"graphs":[]},"schema_type":"default","schema_type_options":null,"pillar_content":false,"robots_default":true,"robots_noindex":false,"robots_noarchive":false,"robots_nosnippet":false,"robots_nofollow":false,"robots_noimageindex":false,"robots_noodp":false,"robots_notranslate":false,"robots_max_snippet":"-1","robots_max_videopreview":"-1","robots_max_imagepreview":"large","priority":null,"frequency":"default","local_seo":null,"limit_modified_date":true,"created":"2024-03-17 23:57:10","updated":"2026-06-25 06:16:27","ai":null,"breadcrumb_settings":null,"seo_analyzer_scan_date":null},"aioseo_breadcrumb":"<div class=\"aioseo-breadcrumbs\"><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/defrancisco.us\/blog\" title=\"Home\">Home<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/defrancisco.us\/blog\/index.php\/category\/cyber\/\" title=\"cyber\">cyber<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\tHoneypot Installation Revisited: Ditching Splunk for MySQL\n\t\t<\/span><\/div>","aioseo_breadcrumb_json":[{"label":"Home","link":"https:\/\/defrancisco.us\/blog"},{"label":"cyber","link":"https:\/\/defrancisco.us\/blog\/index.php\/category\/cyber\/"},{"label":"Honeypot Installation Revisited: Ditching Splunk for MySQL","link":"https:\/\/defrancisco.us\/blog\/index.php\/2024\/01\/13\/honeypot-installation-revisited-ditching-splunk-for-mysql\/"}],"_links":{"self":[{"href":"https:\/\/defrancisco.us\/blog\/index.php\/wp-json\/wp\/v2\/posts\/261","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/defrancisco.us\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defrancisco.us\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defrancisco.us\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/defrancisco.us\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=261"}],"version-history":[{"count":0,"href":"https:\/\/defrancisco.us\/blog\/index.php\/wp-json\/wp\/v2\/posts\/261\/revisions"}],"wp:attachment":[{"href":"https:\/\/defrancisco.us\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=261"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defrancisco.us\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=261"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defrancisco.us\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=261"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}