Problem
All existing PRs deploy honeypots that collect attacker logs locally on the EC2 instance.
These logs are lost if the instance is terminated, cannot be queried across regions,
and provide no threat enrichment context.
Proposed Solution
Build a centralized telemetry pipeline that:
- Ships Cowrie/Dionaea logs from ALL honeypot nodes (any cloud) to a secure S3 sink
- Auto-enriches attacker IPs with GeoIP + AbuseIPDB threat score via Lambda
- Makes all attack data queryable via Athena SQL (no database needed)
Implementation
terraform/modules/telemetry/ — S3 sink, Lambda trigger, Glue crawler, Athena workgrouplambda/enrichment/handler.py — Python enrichment functionansible/playbooks/install_log_forwarder.yml — Filebeat agent on honeypot nodes
Why This Matters
This directly implements the GSoC objective: "Data Enrichment: Integrate logging,
monitoring, and analytics to enrich raw data, correlating attack patterns with
global threat intelligence feeds."
Problem
All existing PRs deploy honeypots that collect attacker logs locally on the EC2 instance.
These logs are lost if the instance is terminated, cannot be queried across regions,
and provide no threat enrichment context.
Proposed Solution
Build a centralized telemetry pipeline that:
Implementation
terraform/modules/telemetry/— S3 sink, Lambda trigger, Glue crawler, Athena workgrouplambda/enrichment/handler.py— Python enrichment functionansible/playbooks/install_log_forwarder.yml— Filebeat agent on honeypot nodesWhy This Matters
This directly implements the GSoC objective: "Data Enrichment: Integrate logging,
monitoring, and analytics to enrich raw data, correlating attack patterns with
global threat intelligence feeds."