RdpGuard Plugin API - Bring Your Own Detection Logic for RdpGuard Log-Based Engine.
RdpGuard
Intrusion prevention system for your Windows Server
 
Follow:
Share:

RdpGuard Plugin API

Starting from version 6.9.7 RdpGuard supports plugins, providing you the way to write your own log parser for log formats that are not supported natively by RdpGuard, for example logs produced by in-house written software or software products that are not supported yet.

The idea is very simple - you define the directory and file(mask) and RdpGuard monitors the directory for files that match the criteria.

When new lines are written to the log, RdpGuard calls one method in the plugin to detect if the log line indicates failed login attempt.

The plugin is a .NET class library that targets NET. Framework 4 and contains the class that implements the IExternalLogBasedEngine interface defined in rdpguard-plugin-api.dll located in RdpGuard installation folder.

Plugin must be placed to the Plugins folder in RdpGuard installation folder, for example C:\Program Files (x86)\RdpGuard\Plugins

The plugin interface is below:

namespace rdpguard_plugin_api {

    public interface IExternalEngine {

        string Name { get; }
        string Protocol { get; }
    }

    public interface IExternalLogBasedEngine : IExternalEngine {

        string Directory { get; }
        string FileMask { get; }

        bool IsFailedLoginAttempt(string _line, out string _ip, out string _username);
    }
}

The sample implementation:

using rdpguard_plugin_api;

namespace rdpguard_test_plugin {

    public class MyEngine : IExternalLogBasedEngine {

        public string Name => "TestEngine";
        public string Protocol => "MyProto";

        public string Directory => @"C:\MyApp\Logs\";
        public string FileMask => "*.log";

        public bool IsFailedLoginAttempt(string _line, out string _ip, out string _username) {

            _ip = _username = null;

            // sample log line:
            // 2020-06-22 10:29:18 AUTH-ERROR admin 66.249.65.238 Invalid+username+or+password

            var parts = _line.Split(' ');

            if (parts.Length > 5 && "AUTH-ERROR:" == parts[2]) {
                _username = parts[3];
                _ip = parts[4];
                return true;
            }
			
            return false;
        }
    }
}

After building your plugin copy resulting DLL file to C:\Program Files (x86)\RdpGuard\Plugins (create the Plugins directory if necessary) and restart RdpGuard service (Tools, RdpGuard Service, Restart)

If you enable Verbose logging in Tools, Options, Logging, you should see log output like below:

[I] [13:43:16] Application started: RdpGuard 6.9.6
[I] [13:43:16] Communication server started
[I] [13:43:16] Microsoft Windows 10 Pro (6.2.9200,,x64)
[I] [13:43:16] RDP::2k1216Engine worker thread started
[V] [13:43:16] SecurityEventLogWatcher started
[V] [13:43:16] CoreTsWatcher started
[V] [13:43:16] RDP::2k1216Engine started
[V] [13:43:16] RDP::LogBasedEngine started
[V] [13:43:16] RdpEngine started (security layer: SSL/TLS, port 3389)
[V] [13:43:16] ExternalLogBasedEngine::TestEngine started (C:\MyApp\Logs\)
[V] [13:43:16] RdpGuardCore:: main thread started
[V] [13:43:16] IPCloud started
[V] [13:43:16] RdpGuardCore started
[V] [13:43:16] IPCloud thread started

Feel free to contact us if you need any help with your plugin.

RdpGuard 9.7.9 Free Trial

RdpGuard protects:

Social Connection
RdpGuard Logo
 
People like RdpGuard!
Our customers say

"This sotware is really great. It's a relief. Because my server is constantly under attack. Thanks RdpGuard" - Joaquim De Sousa Marques

"Nice product. I used to implement something similiar in a low-tech and cumbersome manner via a script called TSBlock (not mine). This makes it much easier and is well worth the pricetag for SMB's." - J. Johnson

"Absolutely amazed at your product. We are a church in the North Dallas area, and I discovered this morning multiple failed logon attempts via our Remote Access Server. A friend suggested your product, so I immediately downloaded the trial. It had a list of about five blocked IP addresses in minutes, and that was enough to lead me to push the BUY button. Over the past 10-15 minutes the list is now about thirty with at least a third being international attempts to break into our system. Thanks for a great product. You may have just saved us much grief." - John Hallford

"Love the software. RDP on our Windows servers is just ridiculous. We would block it in the router but we have lots of old-time customers that would have issues." - Scott Hirsch

"Love the software! Makes it easier than tailoring VB Scripts!!" - Nick Brennan

"It's a great product - really stopping those RDP attackers :-)" - Dave, UK

"First of all: Your application is very (!!!) useful and I like it very much securing my 2012 R2 server. RdpGuard is the best solution, I found on the market and after 10 minutes of testing it I ordered the fully-featured version. :-)" - Carsten Baltes

Our Other Products
Copyright © 2012-2024 NetSDK Software. All rights reserved.  Terms of Use.  Privacy Policy.