Bitvise sshd¶
About¶
Our SSH Server provides secure remote access to Windows servers and workstations. Security is our SSH server's key feature: in contrast with Telnet and FTP servers, Bitvise SSH Server encrypts data during transmission. Thus, no one can sniff your password or see what files you are transferring when you access your computer over SSH.
Product Details¶
Vendor URL: Bitvise
Product Type: SSH server
Product Tier: Tier II
Integration Method: Syslog
Integration URL: Nxlog
Log Guide: Interpreting SSH Server Log Files
Parser Details¶
Log Format: XML
Expected Normalization Rate: 100%
Data Label: BITVISE_SSHD
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| /event/parameters[1]/@tokenLogonType | additional.fields |
| /event/parameters[1]/@tokenType | additional.fields |
| /event/parameters[1]/@groupSettings | additional.fields |
| /event/parameters[1]/@accountSettings | additional.fields |
| /event/authentication[1]/@submethod | additional.fields |
| /event/sfs[1]/parameters[1]/@upload | additional.fields |
| /event/sfs[1]/parameters[1]/@download | additional.fields |
| /event/sfs[1]/parameters[1]/@endedBy | additional.fields |
| /event/sfs[1]/parameters[1]/@finalSize | additional.fields |
| /event/sfs[1]/parameters[1]/@startSize | additional.fields |
| /event/sfs[1]/parameters[1]/@resizedFile | additional.fields |
| /event/sfs[1]/parameters[1]/@createdNewFile | additional.fields |
| /event/sfs[1]/parameters[1]/@writeRangeLength | additional.fields |
| /event/sfs[1]/parameters[1]/@readRangeLength | additional.fields |
| /event/sfs[1]/parameters[1]/@readRangeOffset | additional.fields |
| /event/sfs[1]/parameters[1]/@bytesWritten | additional.fields |
| /event/sfs[1]/parameters[1]/@bytesRead | additional.fields |
| /event/sfs[1]/parameters[1]/@timeMs | additional.fields |
| /event/sfs[1]/parameters[1]/@partialFailure | additional.fields |
| /event/parameters[1]/@remoteAlgs | additional.fields |
| /event/parameters[1]/@localAlgs | additional.fields |
| /event/parameters[1]/@algKind | additional.fields |
| /event/parameters[1]/@processFrom | additional.fields |
| /event/parameters[1]/@versionSelected | additional.fields |
| /event/parameters[1]/@versionRequested | additional.fields |
| /event/authentication[1]/@attemptNr | additional.fields |
| /event/sfs[1]/error[1]/@code | additional.fields |
| /event/sfs[1]/@code | additional.fields |
| /event/sfs[1]/error[1]/@operation | additional.fields |
| /event/sfs[1]/error[1]/@type | additional.fields |
| /event/sfs[1]/parameters[1]/@flags | additional.fields |
| /event/sfs[1]/parameters[1]/@how | additional.fields |
| /event/channel[1]/@id | additional.fields |
| /event/channel[1]/@type | additional.fields |
| /event/parameters[1]/@comprAlgOut | additional.fields |
| /event/parameters[1]/@comprAlgIn | additional.fields |
| /event/parameters[1]/@cipherAlgOut | additional.fields |
| /event/parameters[1]/@cipherAlgIn | additional.fields |
| /event/parameters[1]/@hostKeyAlg | additional.fields |
| /event/parameters[1]/@kexAlg | additional.fields |
| /event/parameters[1]/@macAlgOut | additional.fields |
| /event/parameters[1]/@macAlgIn | additional.fields |
| /event/sfs[1]/@moduleName | additional.fields |
| /event/sfs[1]/@mountPath | additional.fields |
| /event/parameters[1]/@clientVersion | additional.fields |
| /event/authentication[1]/@serialize | additional.fields |
| /event/authentication[1]/@attemptNr | additional.fields |
| /event/parameters[1]/@channelBytesReceived | additional.fields |
| /event/parameters[1]/@channelBytesSent | additional.fields |
| /event/error[1]/@class | additional.fields |
| /event/error[1]/@code | additional.fields |
| /event/error[1]/@component | additional.fields |
| /event/error[1]/@type | additional.fields |
| /event/sessions[1]/@ftp | additional.fields |
| /event/sessions[1]/@ftpAuth | additional.fields |
| /event/parameters[1]/@socketBytesReceived | additional.fields |
| /event/parameters[1]/@socketBytesSent | additional.fields |
| /event/sessions[1]/@sshAuth | additional.fields |
| /event/sessions[1]/@ssh | additional.fields |
| /event/session[1]/@loc | additional.fields |
| /event/location[1]/@continent | additional.fields |
| Bitvise (static) | metadata.vendor_name |
| SSHd (static) | metadata.product_name |
| /event/error[1]/@message | metadata.description |
| /event/help[1] | metadata.description |
| /event/@name | product_event_type |
| /event/@seq | metadata.product_log_id |
| /event/session[1]/@id | network.session_id |
| /event/@app | principal.application |
| /event/session[1]/@remoteAddress (custom filter) | principal.ip |
| /event/session[1]/@remoteAddress (custom filter) | principal.port |
| /event/@desc | security_result.summary |
| /event/error[1]/@description | security_result.description |
| /event/parameters[1]/@blockComment | security_result.description |
| /event/parameters[1]/@disconnectReason | security_result.action_details |
| /event/parameters[1]/@failureReason | security_result.action_details |
| /event/parameters[1]/@cancelReason | security_result.action_details |
| /event/parameters[1]/@addressRule | security_result.rule_name |
| if /event/@name contains I_CONNECT_ACCEPTED or I_LOGON_AUTH_SUCCEEDED or /event/@desc contains accepted | security_result.action = ALLOW |
| if /event/@name contains I_CONNECT_CANCELED or /event/@desc contains failed | security_result.action = FAIL |
| /event/session[1]/@windowsAccount | target.user.userid |
| /event/session[1]/@virtualAccount | target.user.user_display_name |
| /event/sfs[1]/parameters[1]/@finalSize | target.file.size |
| /event/sfs[1]/parameters[1]/@path | target.file.full_path |
| /event/authentication[1]/@userName | target.user.userid |
| /event/location[1]/@country | principal.location.country_or_region |
| /event/session[1]/@loc | principal.location.country_or_region |
| /event/parameters[1]/@listenAddress (custom filter) | target.ip |
| /event/parameters[1]/@listenAddress (custom filter) | target.port |
| /event/parameters[1]/@payloadBytesSent | network.sent_bytes |
| /event/parameters[1]/@bytesSent | network.sent_bytes |
| /event/parameters[1]/@payloadBytesReceived | network.received_bytes |
| /event/parameters[1]/@bytesReceived | network.received_bytes |
| /event/session[1]/@service | network.application_protocol |
| /event/authentication[1]/@method | extensions.auth.auth_details |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| I_SFS_OPEN_FILE | FILE_UNCATEGORIZED |
| I_SFS_TRANSFER_FILE | FILE_UNCATEGORIZED |
| I_SFS_GET_FILE_STATUS | FILE_UNCATEGORIZED |
| I_LOGON_AUTH_FAILED | USER_LOGIN |
| I_LOGON_AUTH_SUCCEEDED | USER_LOGIN |
| all others | GENERIC_EVENT |
Log Sample¶
<event seq="179682" time="2024-01-22 08:23:14.491921 -0800" app="BvSshServer 8.43" name="I_SESSION_DISCONNECTED_NORMALLY" desc="Session disconnected normally."> <session id="141217" service="SSH" remoteAddress="10.0.0.1:56847"/> <parameters disconnectReason="Socket" socketBytesReceived="0" socketBytesSent="57" payloadBytesReceived="0" payloadBytesSent="13" channelBytesReceived="0" channelBytesSent="0"/> <error type="Flow" component="SshManager/socketReader" class="WinApi" code="10054" message="An existing connection was forcibly closed by the remote host." description="FlowSocketReader: Error receiving bytes"/> <sessions ssh="0" sshAuth="0" ftp="0" ftpAuth="0"/> </event>
Sample Parsing¶
additional.fields["channelBytesReceived"] = "0"
additional.fields["channelBytesSent"] = "0"
additional.fields["class"] = "WinApi"
additional.fields["code"] = "10054"
additional.fields["component"] = "SshManager/socketReader"
additional.fields["error_type"] = "Flow"
additional.fields["ftp"] = "0"
additional.fields["ftpAuth"] = "0"
additional.fields["socketBytesReceived"] = "0"
additional.fields["socketBytesSent"] = "57"
additional.fields["ssh"] = "0"
additional.fields["sshAuth"] = "0"
metadata.base_labels.allow_scoped_access = true
metadata.base_labels.log_types = "BITVISE_SSHD"
metadata.description = "An existing connection was forcibly closed by the remote host."
metadata.event_timestamp.seconds = 1705940594
metadata.event_timestamp.nanos = 491000000
metadata.event_type = "GENERIC_EVENT"
metadata.product_event_type = "I_SESSION_DISCONNECTED_NORMALLY"
metadata.product_log_id = "179682"
metadata.product_name = "SSHd"
metadata.vendor_name = "Bitvise"
network.application_protocol = "SSH"
network.sent_bytes = 13
network.session_id = "141217"
principal.application = "BvSshServer 8.43"
principal.ip = "10.0.0.1"
principal.port = 56847
security_result.action_details = "Socket"
security_result.description = "FlowSocketReader: Error receiving bytes"
security_result.summary = "Session disconnected normally."
Rules¶
Coming Soon