Adding ElasticSearch support to Kippo SSH honeypot

I am very fond of ElasticSearch as a storage infrastructure and I do believe it is very useful for storing attack data, especially from honeypots. If you follow my blog, you would have seen my first attempts at transferring Kippo’s data to ElasticSearch, or creating Kibana dashboards to visualize SSH attacks. These eventually led to the Kippo2ElasticSearch script, a simple way to transfer your logged Kippo data from MySQL to an ES instance.

But, having just a script (which keeps no state by the way) is not the best way to go about it. So I decided to add ElasticSearch support to Kippo itself. For that purpose I have created a fork of Kippo which is now available for testing. The git repo is hosted on GitHub:

The way it works is by filling out a new section in Kippo’s config file, where you put all the details regarding your ES instance. An example is shown below:

host =
port = 9200
index = kippo
type = auth

Before you use it you will have to install two additional requirements:

  1. pyes:
  2. GeoIP:

You then have to make sure the ES service is running and you’re ready to start Kippo. Using this fork, every connection attempt against your honeypot will be logged in your ElasticSearch instance automatically. You can then use the exported dashboard (.json file) from Kippo2ElasticSearch to visualize your data with Kibana. And just a extra note, the logging components of Kippo can be used together, so you can have MySQL and ES logging enabled at the same time.

I have also submitted my changes as a pull request to be included in the official Kippo codebase, hopefully it will be accepted. Until then you can help a lot if you give this fork a try and report back some feedback!


1 ping

Skip to comment form

    • psy on August 12, 2014 at 1:11 PM
    • Reply

    why not use logstash / logstash-forwarder for that?

    its not a goog solution to have an unprotected elasticsearch running and of course not, on the same server as the honeypot runs!

    1. Hi psy, thanks for your message.

      I get what you’re saying, but of course you can have an ES instance somewhere internally, not on the same server as the honeypot. In any case, having ElasticSearch output seems very beneficial to me.

      Regarding Logstash, that was my first thought but then I decided to implement the output directly. If you’re capable of creating a Logstash parsing configuration file please let me know and I can help spread the word.


        • psy on August 13, 2014 at 3:23 PM

        Hi Ion,

        I’m shipping the glastopf.log with logstash-forwarder, using the following logstash configuration to parse it:


        • psy on August 18, 2014 at 9:01 AM

        Err, i somehow misstook that.

        For kippo i also use lgostash-forward, but this logstash filter:

        Sorry for the mess!

        • Ion on August 18, 2014 at 2:10 PM

        Hey psy, this is great nonetheless 🙂

        I will definitely do a blog post at some point about combining Logstash (so the whole ELK stack, not just ES) with honeypots.


    • Craig Valli on September 15, 2014 at 4:30 AM
    • Reply

    okay works well except if you have multiple kippo hosts feeding the elasticsearch
    sorting out a solution nowish…

      • Craig Valli on September 15, 2014 at 9:49 AM
      • Reply

      and now it works just individual index for each kippo instance…and we are good

    • Zachary Hardie on December 9, 2014 at 5:21 PM
    • Reply

    Great addition. However, after importing existing data with the script and then updating my kippo instance to this ES enabled one, I am noticing that only the originally imported data is displaying on the Attack Maps and below. Any idea why this would be the case?

      • Ion on December 17, 2014 at 2:48 AM
      • Reply

      Hi Zachary, unfortunately I’m not sure what might cause this discrepancy you’re seeing. Have you tried manual testing/trial’n’error?

  1. […] Security Bloggers Network, Ioannis Koniaris, […]

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Read previous post:
Getting started with honeyd

This is a quick guide to honeyd (which is included in HoneyDrive of course) inspired by Jonathan whom I had the pleasure...