How can I extract remote desktop connection message from winlogbeat
Configure Winlogbeat to monitor the Security event log. Event 4624 has information about logons including remote desktop connections. According to that page, LogonType 10 is used for Remote Desktop so you could filter in Kibana with (if using Winlogbeat v5):
event_id: 4624 AND event_data.LogonType: 10
3 Likes
Thanks for your reply @andrewkroh but I can't see the login IP address of RDP connection. Is there anyway to do it.
I performed a Remote Desktop logon to a Windows 7 Professional box and the IP address was logged in event 4624.
...
"event_data": {
"AuthenticationPackageName": "Negotiate",
"IpAddress": "192.168.99.1",
"IpPort": "49818",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"LogonProcessName": "User32 ",
"LogonType": "10",
"ProcessId": "0x6af0",
"ProcessName": "C:\\Windows\\System32\\winlogon.exe",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "WIN7$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "win7",
"TargetLogonId": "0x9cfa38",
"TargetUserName": "vagrant",
"TargetUserSid": "S-1-5-21-1432328479-15621444-2183371920-1000",
"TransmittedServices": "-",
"WorkstationName": "WIN7"
}
Make sure that you have auditing enabled for "Audit account logon events" and "Audit logon events". This is enabled through a Group Policy or Local Security Policy.
1 Like
Thanks you so much. I'll try it
Could you provide me logstash and winlogbeat configuration files ?
I'm not using Logstash, and I am using the default config file that Winlogbeat 5.0.0-alpha1 ships with (I only changed the Elasticsearch IP address).
Thanks for your information. I am fine with 5.0 alpha1