Parse bitvise login log in windows event log

Elastic Stack Beats
1

Hi, i have new case. All my windows server are using bitvise for remote dessktop.
(when i used bitvise for remote dessktop in windows, event_id 4624 contain username logon, but not contain real IP login. It alway 127.0.0.1)
Log login bitvise write into event log with event_id=4097.
Now i want parse this log of event id 4097.
Can someone help me?

P/s: This is my flow log

Winlogbeat -> Logstash -> ES

Here is log from winlogbeat

{
  "_index": "wb-server-2017.39",
  "_type": "wineventlog",
  "_id": "AV64MpbsuBaoJ_JnxAi4",
  "_version": 1,
  "_score": null,
  "_source": {
    "computer_name": "Server1.HO.FPT.VN",
    "keywords": [
      "Classic"
    ],
    "log_name": "Application",
    "level": "Information",
    "beatname": "wb-server",
    "record_number": "18049021",
    "event_data": {
      "param1": "event\n  time: 2017-09-25 15:41:25.615035 +0700\n  app: BvSshServer 7.14\n  name: I_CHANNEL_C2S_CLTSIDE_FORWARDING_ENDED\n  desc: Client-configured client-to-server port forwarding ended.\n  session\n    id: 1033\n    service: SSH\n    remoteAddress: 10.11.0.45:64798\n    windowsAccount: HO.FPT.VN\\admin1\n  channel\n    type: direct-tcpip\n    originAddress: 127.0.0.1:64804\n    requestAddress: 127.0.0.1:3389\n    targetAddress: 127.0.0.1:3389"
    },
    "message": "event\n  time: 2017-09-25 15:41:25.615035 +0700\n  app: BvSshServer 7.14\n  name: I_CHANNEL_C2S_CLTSIDE_FORWARDING_ENDED\n  desc: Client-configured client-to-server port forwarding ended.\n  session\n    id: 1033\n    service: SSH\n    remoteAddress: 10.11.0.45:64798\n    windowsAccount: HO.FPT.VN\\admin1\n  channel\n    type: direct-tcpip\n    originAddress: 127.0.0.1:64804\n    requestAddress: 127.0.0.1:3389\n    targetAddress: 127.0.0.1:3389",
    "opcode": "Info",
    "type": "wineventlog",
    "tags": [],
    "@timestamp": "2017-09-25T08:41:25.000Z",
    "event_id": 4097,
    "beattype": "wineventlog",
    "@version": "1",
    "beat": {
      "name": "Server-REMOTE",
      "hostname": "Server-REMOTE",
      "version": "5.4.0"
    },
    "host": "Server-REMOTE",
    "source_name": "BvSshServer",
    "event_data.machine": "false"
  },
  "fields": {
    "@timestamp": [
      1506328885000
    ]
  },
  "sort": [
    1506328885000,
    92471
  ]
}

image
image854×304 14.3 KB

Log need filter

"event_data": {
      "param1": "event\n  time: 2017-09-25 15:41:25.615035 +0700\n  app: BvSshServer 7.14\n  name: I_CHANNEL_C2S_CLTSIDE_FORWARDING_ENDED\n  desc: Client-configured client-to-server port forwarding ended.\n  session\n    id: 1033\n    service: SSH\n    remoteAddress: 10.11.0.45:64798\n    windowsAccount: HO.FPT.VN\\admin1\n  channel\n    type: direct-tcpip\n    originAddress: 127.0.0.1:64804\n    requestAddress: 127.0.0.1:3389\n    targetAddress: 127.0.0.1:3389"
    },
2

Unfortunately for you the Bitvise software is not writing the event log in a structured or parameterized manner. You'll need to use Logstash to parse the message in order extract the IP fields. You can use a grok filter for this.

1 Like
3

Thank @andrewkroh,

I know that, i'm using grok filter for filtering all my logs. But with this log, i cant filter with grok pattern.
So I need someone help me filter with grok :'(.
Thanks for all!

4

Using your log message and https://grokdebug.herokuapp.com/ I was able to put this filter together to get you started. You should be able to add that filter your Logstash config.

.*id: %{NUMBER:session}.*service: %{WORD:service}.*remoteAddress: %{IP:remote.host}:%{NUMBER:remote.port}.*windowsAccount: %{NOTSPACE:account}\\n.*originAddress: %{IP:origin.host}:%{NUMBER:origin.port}.*requestAddress: %{IP:request.host}:%{NUMBER:request.port}.*targetAddress: %{IP:target.host}:%{NUMBER:target.port}

Output:

{
  "session": [
    [
      "1033"
    ]
  ],
  "service": [
    [
      "SSH"
    ]
  ],
  "remote": [
    [
      "10.11.0.45"
    ],
    [
      "64798"
    ]
  ],
  "account": [
    [
      "HO.FPT.VN\\\\admin1"
    ]
  ],
  "origin": [
    [
      "127.0.0.1"
    ],
    [
      "64804"
    ]
  ],
  "request": [
    [
      "127.0.0.1"
    ],
    [
      "3389"
    ]
  ],
  "target": [
    [
      "127.0.0.1"
    ],
    [
      "3389"
    ]
  ]
}
1 Like
5

Thanks @andrewkroh, i added to my filter grok config. It's worked.
Thanks again and have good day!

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.