RdpGuard Plugin API - Bring Your Own Detection Logic for RdpGuard Log-Based Engine.
RdpGuard
Intrusion prevention system for your Windows Server
 
Follow:
Share:

RdpGuard Plugin API

Starting from version 6.9.7 RdpGuard supports plugins, providing you the way to write your own log parser for log formats that are not supported natively by RdpGuard, for example logs produced by in-house written software or software products that are not supported yet.

The idea is very simple - you define the directory and file(mask) and RdpGuard monitors the directory for files that match the criteria.

When new lines are written to the log, RdpGuard calls one method in the plugin to detect if the log line indicates failed login attempt.

The plugin is a .NET class library that targets NET. Framework 4 and contains the class that implements the IExternalLogBasedEngine interface defined in rdpguard-plugin-api.dll located in RdpGuard installation folder.

Plugin must be placed to the Plugins folder in RdpGuard installation folder, for example C:\Program Files (x86)\RdpGuard\Plugins

The plugin interface is below:

namespace rdpguard_plugin_api {

    public interface IExternalEngine {

        string Name { get; }
        string Protocol { get; }
    }

    public interface IExternalLogBasedEngine : IExternalEngine {

        string Directory { get; }
        string FileMask { get; }

        bool IsFailedLoginAttempt(string _line, out string _ip, out string _username);
    }
}

The sample implementation:

using rdpguard_plugin_api;

namespace rdpguard_test_plugin {

    public class MyEngine : IExternalLogBasedEngine {

        public string Name => "TestEngine";
        public string Protocol => "MyProto";

        public string Directory => @"C:\MyApp\Logs\";
        public string FileMask => "*.log";

        public bool IsFailedLoginAttempt(string _line, out string _ip, out string _username) {

            _ip = _username = null;

            // sample log line:
            // 2020-06-22 10:29:18 AUTH-ERROR admin 66.249.65.238 Invalid+username+or+password

            var parts = _line.Split(' ');

            if (parts.Length > 5 && "AUTH-ERROR:" == parts[2]) {
                _username = parts[3];
                _ip = parts[4];
                return true;
            }
			
            return false;
        }
    }
}

After building your plugin copy resulting DLL file to C:\Program Files (x86)\RdpGuard\Plugins (create the Plugins directory if necessary) and restart RdpGuard service (Tools, RdpGuard Service, Restart)

If you enable Verbose logging in Tools, Options, Logging, you should see log output like below:

[I] [13:43:16] Application started: RdpGuard 6.9.6
[I] [13:43:16] Communication server started
[I] [13:43:16] Microsoft Windows 10 Pro (6.2.9200,,x64)
[I] [13:43:16] RDP::2k1216Engine worker thread started
[V] [13:43:16] SecurityEventLogWatcher started
[V] [13:43:16] CoreTsWatcher started
[V] [13:43:16] RDP::2k1216Engine started
[V] [13:43:16] RDP::LogBasedEngine started
[V] [13:43:16] RdpEngine started (security layer: SSL/TLS, port 3389)
[V] [13:43:16] ExternalLogBasedEngine::TestEngine started (C:\MyApp\Logs\)
[V] [13:43:16] RdpGuardCore:: main thread started
[V] [13:43:16] IPCloud started
[V] [13:43:16] RdpGuardCore started
[V] [13:43:16] IPCloud thread started

Feel free to contact us if you need any help with your plugin.

RdpGuard 6.9.7 Free Trial

RdpGuard protects:

Social Connection
RdpGuard Logo
 
People like RdpGuard!
Our Other Products
FastGlacier
Windows Client for Amazon Glacier - new low-cost storage for data archiving and backup.
Copyright © 2012-2020 NetSDK Software. All rights reserved.  Terms of Use.  Privacy Policy.