Winlogbeat Remote Desktop Connection Auditing


(Saw Winn Naung) #1

How can I extract remote desktop connection message from winlogbeat


(Andrew Kroh) #2

Configure Winlogbeat to monitor the Security event log. Event 4624 has information about logons including remote desktop connections. According to that page, LogonType 10 is used for Remote Desktop so you could filter in Kibana with (if using Winlogbeat v5):

event_id: 4624 AND event_data.LogonType: 10


(Saw Winn Naung) #3

Thanks for your reply @andrewkroh but I can't see the login IP address of RDP connection. Is there anyway to do it.


(Andrew Kroh) #4

I performed a Remote Desktop logon to a Windows 7 Professional box and the IP address was logged in event 4624.

    ...
    "event_data": {
      "AuthenticationPackageName": "Negotiate",
      "IpAddress": "192.168.99.1",
      "IpPort": "49818",
      "KeyLength": "0",
      "LmPackageName": "-",
      "LogonGuid": "{00000000-0000-0000-0000-000000000000}",
      "LogonProcessName": "User32 ",
      "LogonType": "10",
      "ProcessId": "0x6af0",
      "ProcessName": "C:\\Windows\\System32\\winlogon.exe",
      "SubjectDomainName": "WORKGROUP",
      "SubjectLogonId": "0x3e7",
      "SubjectUserName": "WIN7$",
      "SubjectUserSid": "S-1-5-18",
      "TargetDomainName": "win7",
      "TargetLogonId": "0x9cfa38",
      "TargetUserName": "vagrant",
      "TargetUserSid": "S-1-5-21-1432328479-15621444-2183371920-1000",
      "TransmittedServices": "-",
      "WorkstationName": "WIN7"
    }

Make sure that you have auditing enabled for "Audit account logon events" and "Audit logon events". This is enabled through a Group Policy or Local Security Policy.


(Saw Winn Naung) #5

Thanks you so much. I'll try it


(Saw Winn Naung) #6

Could you provide me logstash and winlogbeat configuration files ?


(Andrew Kroh) #7

I'm not using Logstash, and I am using the default config file that Winlogbeat 5.0.0-alpha1 ships with (I only changed the Elasticsearch IP address).


(Saw Winn Naung) #8

Thanks for your information. I am fine with 5.0 alpha1


(Andrew Kroh) #9