Does this information look incorrect or out-of-date? Please contact us at email@example.com.
Thinkst Canary is a honeypot solution designed to alert you when accessed by a potential bad actor with access inside your network
Our preferred method of integration with Thinkst Canary is via the Canary Console API
The below write-up explains how to configure your syslog installation to accept log messages from your canary console.
Thinkst support (and recommend) TLS encryption for syslog, and because all traffic will originate from your console, it is easy to whitelist its domain and drop connection attempts from other hosts.
In preparation to receive alerts via syslog, you'll need:
The Canary Console runs rsyslog and emits log messages over TCP or UDP, with the optional RELP extension. It is also possible to use TLS to encrypt the message channel.
The alerts are sent with local0 facility and CRITICAL loglevel.
The messages are formatted using a tab separated key=value format.
A basic configuration to accept log messages over TCP may look something like this:
module(load="imuxsock") module(load="imtcp”) input(type="imtcp” port="10514") if ( $programname == "canary-tools”) then /var/log/canary.log
The timezone of the syslog messages will be UTC. Setting TZ=GMT in the props.conf file on the indexer will ensure messages show up correctly.