Darwin connector (mmdarwin)¶
Module Name: |
mmdarwin |
Author: |
Guillaume Catto <guillaume.catto@advens.fr>, Theo Bertin <theo.bertin@advens.fr> |
Purpose¶
Darwin is an open source Artificial Intelligence Framework for CyberSecurity. The mmdarwin module allows us to call Darwin in order to enrich our JSON-parsed logs with a score, and/or to allow Darwin to generate alerts.
How to build the module¶
To compile Rsyslog with mmdarwin you’ll need to:
set –enable-mmdarwin on configure
Configuration Parameter¶
Note
Parameter names are case-insensitive; camelCase is recommended for readability.
Module Parameters¶
Parameter |
Summary |
|---|---|
Defines the JSON container path that holds mmdarwin’s generated data. |
Input Parameters¶
Parameter |
Summary |
|---|---|
Stores the Darwin score in the specified JSON field. |
|
Specifies the Darwin filter socket path that mmdarwin connects to. |
|
Controls whether Darwin returns a score, forwards data, or does both. |
|
Sets the legacy Darwin filter code expected by older Darwin filters. |
|
Defines the array of values that mmdarwin forwards to Darwin as parameters. |
|
Controls whether mmdarwin calls Darwin when some fields are missing from the message. |
Configuration example¶
This example shows a possible configuration of mmdarwin.
module(load="imtcp")
module(load="mmjsonparse")
module(load="mmdarwin")
input(type="imtcp" port="8042" Ruleset="darwin_ruleset")
ruleset(name="darwin_ruleset") {
action(type="mmjsonparse" cookie="")
action(type="mmdarwin" socketPath="/path/to/reputation_1.sock" fields=["!srcip", "ATTACK;TOR"] key="reputation" response="back" filterCode="0x72657075")
call darwin_output
}
ruleset(name="darwin_output") {
action(type="omfile" file="/path/to/darwin_output.log")
}
Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project
Contributing: Source & docs: rsyslog source project
© 2008–2025 Rainer Gerhards and others. Licensed under the Apache License 2.0.