feat(ssh): replace Cowrie with real OpenSSH + rsyslog logging pipeline

Scraps the Cowrie emulation layer. The real_ssh template now runs a
genuine sshd backed by a three-layer logging stack forwarded to stdout
as RFC 5424 for the DECNET collector:

  auth,authpriv.*  → rsyslogd → named pipe → stdout  (logins/failures)
  user.*           → rsyslogd → named pipe → stdout  (PROMPT_COMMAND cmds)
  sudo syslog=auth → rsyslogd → named pipe → stdout  (privilege escalation)
  sudo logfile     → /var/log/sudo.log               (local backup with I/O)

The ssh.py service plugin now points to templates/real_ssh and drops all
COWRIE_* / NODE_NAME env vars, sharing the same compose fragment shape as
real_ssh.py.

templates/real_ssh/entrypoint.sh

@@ -31,4 +31,14 @@ ls /var/www/html
 HIST
 fi
 
-exec /usr/sbin/sshd -D -e
+# Logging pipeline: named pipe → rsyslogd (RFC 5424) → stdout → Docker log capture
+mkfifo /var/run/decnet-logs
+
+# Relay pipe to stdout so Docker captures all syslog events
+cat /var/run/decnet-logs &
+
+# Start rsyslog (reads /etc/rsyslog.d/99-decnet.conf, writes to the pipe above)
+rsyslogd
+
+# sshd logs via syslog — no -e flag, so auth events flow through rsyslog → pipe → stdout
+exec /usr/sbin/sshd -D