OpenCanary

This integration collects and parses logs from OpenCanary honeypots.


Version	0.1.3 (View all)
Compatible Kibana version(s)	8.13.0 or higher
Supported Serverless project types What's this?	Security Observability
Subscription level What's this?	Basic
Level of support What's this?	Community

This integration is for Thinkst OpenCanary honeypot event logs. The package processes messages from OpenCanary honeypot logs.

Data streams

The OpenCanary integration collects the following event types:

events

Requirements

Elastic Agent must be installed. For more details and installation instructions, please refer to the Elastic Agent Installation Guide.

Installing and managing an Elastic Agent:

There are several options for installing and managing Elastic Agent:

Install a Fleet-managed Elastic Agent (recommended):

With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier.

Install Elastic Agent in standalone mode (advanced users):

With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.

Install Elastic Agent in a containerized environment:

You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes.

Please note, there are minimum requirements for running Elastic Agent. For more information, refer to the Elastic Agent Minimum Requirements.

Enabling the integration in Elastic:

In Kibana navigate to Management > Integrations.
In "Search for integrations" top bar, search for OpenCanary.
Select the "OpenCanary" integration from the search results.
Select "Add OpenCanary" to add the integration.
Add all the required integration configuration parameters.
Select "Save and continue" to save the integration.

Logs

OpenCanary

The events dataset collects the OpenCanary logs.

An example event for events looks as following:

{
    "@timestamp": "2024-04-05T14:37:26.457Z",
    "destination": {
        "address": "10.10.10.10",
        "domain": "OpenCanary1",
        "ip": "10.10.10.10",
        "port": 445
    },
    "event": {
        "action": "flistxattr",
        "category": [
            "network",
            "intrusion_detection"
        ],
        "created": "2024-04-05T14:37:26.457Z",
        "kind": [
            "alert"
        ],
        "original": "{\"dst_host\": \"10.10.10.10\", \"dst_port\": 445, \"local_time\": \"2024-04-05 14:37:26.457226\", \"local_time_adjusted\": \"2024-04-05 07:37:26.457252\", \"logdata\": {\"AUDITACTION\": \"flistxattr\", \"DOMAIN\": \"CONTOSO\", \"FILENAME\": \"/shares/database\", \"LOCALNAME\": \"OpenCanary1\", \"REMOTENAME\": \"Client1\", \"SHARENAME\": \"database\", \"SMBARCH\": \"OSX\", \"SMBVER\": \"SMB3_11\", \"STATUS\": \"ok\", \"USER\": \"jdoe\"}, \"logtype\": 5000, \"node_id\": \"opencanary-1\", \"src_host\": \"192.168.0.10\", \"src_port\": \"-1\", \"utc_time\": \"2024-04-05 14:37:26.457249\"}",
        "provider": "LOG_SMB_FILE_OPEN",
        "start": "2024-04-05T14:37:26.457Z",
        "type": [
            "connection"
        ]
    },
    "log": {
        "logger": "LOG_SMB_FILE_OPEN"
    },
    "network": {
        "direction": "internal"
    },
    "opencanary": {
        "node": {
            "id": "opencanary-1"
        },
        "smb": {
            "filename": "/shares/database",
            "share_name": "database",
            "smb_arch": "OSX",
            "smb_version": "SMB3_11",
            "status": "ok"
        }
    },
    "related": {
        "hosts": [
            "OpenCanary1",
            "Client1"
        ],
        "ip": [
            "10.10.10.10",
            "192.168.0.10"
        ],
        "user": [
            "jdoe"
        ]
    },
    "source": {
        "address": "192.168.0.10",
        "domain": "Client1",
        "ip": "192.168.0.10",
        "port": -1
    },
    "tags": [
        "preserve_original_event",
        "redact_passwords"
    ],
    "user": {
        "domain": "CONTOSO",
        "name": "jdoe"
    }
}

Exported fields

Field	Description	Type
@timestamp	Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.	date
cloud.image.id	Image ID for the cloud instance.	keyword
data_stream.dataset	Data stream dataset.	constant_keyword
data_stream.namespace	Data stream namespace.	constant_keyword
data_stream.type	Data stream type.	constant_keyword
event.dataset	Event dataset	constant_keyword
event.module	Event module	constant_keyword
host.containerized	If the host is a container.	boolean
host.os.build	OS build information.	keyword
host.os.codename	OS codename, if any.	keyword
input.type	Input type.	keyword
log.offset	Offset of the entry in the log file.	long
opencanary.logdata.cwr		keyword
opencanary.logdata.df		keyword
opencanary.logdata.ece		keyword
opencanary.logdata.id		long
opencanary.logdata.len		keyword
opencanary.logdata.prec		keyword
opencanary.logdata.res		keyword
opencanary.logdata.session		keyword
opencanary.logdata.syn		keyword
opencanary.logdata.tos		keyword
opencanary.logdata.ttl		long
opencanary.logdata.urgp		long
opencanary.logdata.window		long
opencanary.mssql.client.app		keyword
opencanary.mssql.client.hostname		keyword
opencanary.mssql.client.interface_library		keyword
opencanary.mssql.database		keyword
opencanary.node.id	Identifier for the OpenCanary node as configured in `/etc/opencanaryd/opencanary.conf`	keyword
opencanary.redis.args		keyword
opencanary.redis.command		keyword
opencanary.skin	Skin configured for the OpenCanary service.	keyword
opencanary.smb.audit_action		keyword
opencanary.smb.filename		keyword
opencanary.smb.share_name		keyword
opencanary.smb.smb_arch		keyword
opencanary.smb.smb_version		keyword
opencanary.smb.status		keyword
opencanary.ssh.local_version		keyword
opencanary.ssh.remote_version		keyword
opencanary.tcp_banner.banner_id		keyword
opencanary.tcp_banner.data		keyword
opencanary.tcp_banner.function		keyword
opencanary.tcp_banner.secret_string		keyword

Changelog

Version	Details	Kibana version(s)
0.1.3	Bug fix View pull request Use triple-brace Mustache templating when referencing variables in ingest pipelines.	—
0.1.2	Enhancement View pull request Update documentation.	—
0.1.1	Bug fix View pull request Fixes and issue where all source and destination details were removed if the source or destination port was an invalid "-1".	—
0.1.0	Enhancement View pull request Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.	—
0.0.1	Enhancement View pull request Initial draft of the package	—

On this page

Article navigation

Data streams

Requirements

Installing and managing an Elastic Agent:

Install a Fleet-managed Elastic Agent (recommended):

Install Elastic Agent in standalone mode (advanced users):

Install Elastic Agent in a containerized environment:

Enabling the integration in Elastic:

Logs

OpenCanary

Changelog