Starting from version 6.9.7 RdpGuard supports plugins, providing you the way to write your own
log parser for log formats that are not supported natively by RdpGuard, for example logs produced
by in-house written software or software products that are not supported yet.
The idea is very simple - you define the directory and file(mask) and RdpGuard monitors the directory for files that
match the criteria.
When new lines are written to the log, RdpGuard calls one method in the plugin to detect if the log line indicates failed
login attempt.
The plugin is a .NET class library that targets NET. Framework 4 and contains the class that implements
the IExternalLogBasedEngine
interface defined in rdpguard-plugin-api.dll located in
RdpGuard installation folder.
Plugin must be placed to the Plugins folder in RdpGuard installation folder, for example
C:\Program Files (x86)\RdpGuard\Plugins
The plugin interface is below:
namespace rdpguard_plugin_api {
public interface IExternalEngine {
string Name { get; }
string Protocol { get; }
}
public interface IExternalLogBasedEngine : IExternalEngine {
string Directory { get; }
string FileMask { get; }
bool IsFailedLoginAttempt(string _line, out string _ip, out string _username);
}
}
The sample implementation:
using rdpguard_plugin_api;
namespace rdpguard_test_plugin {
public class MyEngine : IExternalLogBasedEngine {
public string Name => "TestEngine";
public string Protocol => "MyProto";
public string Directory => @"C:\MyApp\Logs\";
public string FileMask => "*.log";
public bool IsFailedLoginAttempt(string _line, out string _ip, out string _username) {
_ip = _username = null;
var parts = _line.Split(' ');
if (parts.Length > 5 && "AUTH-ERROR:" == parts[2]) {
_username = parts[3];
_ip = parts[4];
return true;
}
return false;
}
}
}
After building your plugin copy resulting DLL file to C:\Program Files (x86)\RdpGuard\Plugins
(create the Plugins directory if necessary) and restart RdpGuard service (Tools, RdpGuard Service, Restart)
If you enable Verbose logging in Tools, Options, Logging, you should see log output like below:
[I] [13:43:16] Application started: RdpGuard 6.9.6
[I] [13:43:16] Communication server started
[I] [13:43:16] Microsoft Windows 10 Pro (6.2.9200,,x64)
[I] [13:43:16] RDP::2k1216Engine worker thread started
[V] [13:43:16] SecurityEventLogWatcher started
[V] [13:43:16] CoreTsWatcher started
[V] [13:43:16] RDP::2k1216Engine started
[V] [13:43:16] RDP::LogBasedEngine started
[V] [13:43:16] RdpEngine started (security layer: SSL/TLS, port 3389)
[V] [13:43:16] ExternalLogBasedEngine::TestEngine started (C:\MyApp\Logs\)
[V] [13:43:16] RdpGuardCore:: main thread started
[V] [13:43:16] IPCloud started
[V] [13:43:16] RdpGuardCore started
[V] [13:43:16] IPCloud thread started
Feel free to contact us if you need any help with your plugin.
