Skip to content

Bitvise sshd

Bitvise sshd

About

Our SSH Server provides secure remote access to Windows servers and workstations. Security is our SSH server's key feature: in contrast with Telnet and FTP servers, Bitvise SSH Server encrypts data during transmission. Thus, no one can sniff your password or see what files you are transferring when you access your computer over SSH.

Product Details

Vendor URL: Bitvise

Product Type: SSH server

Product Tier: Tier II

Integration Method: Syslog

Integration URL: Nxlog

Log Guide: Interpreting SSH Server Log Files

Parser Details

Log Format: XML

Expected Normalization Rate: 100%

Data Label: BITVISE_SSHD

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
/event/parameters[1]/@tokenLogonType additional.fields
/event/parameters[1]/@tokenType additional.fields
/event/parameters[1]/@groupSettings additional.fields
/event/parameters[1]/@accountSettings additional.fields
/event/authentication[1]/@submethod additional.fields
/event/sfs[1]/parameters[1]/@upload additional.fields
/event/sfs[1]/parameters[1]/@download additional.fields
/event/sfs[1]/parameters[1]/@endedBy additional.fields
/event/sfs[1]/parameters[1]/@finalSize additional.fields
/event/sfs[1]/parameters[1]/@startSize additional.fields
/event/sfs[1]/parameters[1]/@resizedFile additional.fields
/event/sfs[1]/parameters[1]/@createdNewFile additional.fields
/event/sfs[1]/parameters[1]/@writeRangeLength additional.fields
/event/sfs[1]/parameters[1]/@readRangeLength additional.fields
/event/sfs[1]/parameters[1]/@readRangeOffset additional.fields
/event/sfs[1]/parameters[1]/@bytesWritten additional.fields
/event/sfs[1]/parameters[1]/@bytesRead additional.fields
/event/sfs[1]/parameters[1]/@timeMs additional.fields
/event/sfs[1]/parameters[1]/@partialFailure additional.fields
/event/parameters[1]/@remoteAlgs additional.fields
/event/parameters[1]/@localAlgs additional.fields
/event/parameters[1]/@algKind additional.fields
/event/parameters[1]/@processFrom additional.fields
/event/parameters[1]/@versionSelected additional.fields
/event/parameters[1]/@versionRequested additional.fields
/event/authentication[1]/@attemptNr additional.fields
/event/sfs[1]/error[1]/@code additional.fields
/event/sfs[1]/@code additional.fields
/event/sfs[1]/error[1]/@operation additional.fields
/event/sfs[1]/error[1]/@type additional.fields
/event/sfs[1]/parameters[1]/@flags additional.fields
/event/sfs[1]/parameters[1]/@how additional.fields
/event/channel[1]/@id additional.fields
/event/channel[1]/@type additional.fields
/event/parameters[1]/@comprAlgOut additional.fields
/event/parameters[1]/@comprAlgIn additional.fields
/event/parameters[1]/@cipherAlgOut additional.fields
/event/parameters[1]/@cipherAlgIn additional.fields
/event/parameters[1]/@hostKeyAlg additional.fields
/event/parameters[1]/@kexAlg additional.fields
/event/parameters[1]/@macAlgOut additional.fields
/event/parameters[1]/@macAlgIn additional.fields
/event/sfs[1]/@moduleName additional.fields
/event/sfs[1]/@mountPath additional.fields
/event/parameters[1]/@clientVersion additional.fields
/event/authentication[1]/@serialize additional.fields
/event/authentication[1]/@attemptNr additional.fields
/event/parameters[1]/@channelBytesReceived additional.fields
/event/parameters[1]/@channelBytesSent additional.fields
/event/error[1]/@class additional.fields
/event/error[1]/@code additional.fields
/event/error[1]/@component additional.fields
/event/error[1]/@type additional.fields
/event/sessions[1]/@ftp additional.fields
/event/sessions[1]/@ftpAuth additional.fields
/event/parameters[1]/@socketBytesReceived additional.fields
/event/parameters[1]/@socketBytesSent additional.fields
/event/sessions[1]/@sshAuth additional.fields
/event/sessions[1]/@ssh additional.fields
/event/session[1]/@loc additional.fields
/event/location[1]/@continent additional.fields
Bitvise (static) metadata.vendor_name
SSHd (static) metadata.product_name
/event/error[1]/@message metadata.description
/event/help[1] metadata.description
/event/@name product_event_type
/event/@seq metadata.product_log_id
/event/session[1]/@id network.session_id
/event/@app principal.application
/event/session[1]/@remoteAddress (custom filter) principal.ip
/event/session[1]/@remoteAddress (custom filter) principal.port
/event/@desc security_result.summary
/event/error[1]/@description security_result.description
/event/parameters[1]/@blockComment security_result.description
/event/parameters[1]/@disconnectReason security_result.action_details
/event/parameters[1]/@failureReason security_result.action_details
/event/parameters[1]/@cancelReason security_result.action_details
/event/parameters[1]/@addressRule security_result.rule_name
if /event/@name contains I_CONNECT_ACCEPTED or I_LOGON_AUTH_SUCCEEDED or /event/@desc contains accepted security_result.action = ALLOW
if /event/@name contains I_CONNECT_CANCELED or /event/@desc contains failed security_result.action = FAIL
/event/session[1]/@windowsAccount target.user.userid
/event/session[1]/@virtualAccount target.user.user_display_name
/event/sfs[1]/parameters[1]/@finalSize target.file.size
/event/sfs[1]/parameters[1]/@path target.file.full_path
/event/authentication[1]/@userName target.user.userid
/event/location[1]/@country principal.location.country_or_region
/event/session[1]/@loc principal.location.country_or_region
/event/parameters[1]/@listenAddress (custom filter) target.ip
/event/parameters[1]/@listenAddress (custom filter) target.port
/event/parameters[1]/@payloadBytesSent network.sent_bytes
/event/parameters[1]/@bytesSent network.sent_bytes
/event/parameters[1]/@payloadBytesReceived network.received_bytes
/event/parameters[1]/@bytesReceived network.received_bytes
/event/session[1]/@service network.application_protocol
/event/authentication[1]/@method extensions.auth.auth_details

Product Event Types

Event UDM Event Classification
I_SFS_OPEN_FILE FILE_UNCATEGORIZED
I_SFS_TRANSFER_FILE FILE_UNCATEGORIZED
I_SFS_GET_FILE_STATUS FILE_UNCATEGORIZED
I_LOGON_AUTH_FAILED USER_LOGIN
I_LOGON_AUTH_SUCCEEDED USER_LOGIN
all others GENERIC_EVENT

Log Sample

<event seq="179682" time="2024-01-22 08:23:14.491921 -0800" app="BvSshServer 8.43" name="I_SESSION_DISCONNECTED_NORMALLY" desc="Session disconnected normally.">    <session id="141217" service="SSH" remoteAddress="10.0.0.1:56847"/>    <parameters disconnectReason="Socket" socketBytesReceived="0" socketBytesSent="57" payloadBytesReceived="0" payloadBytesSent="13" channelBytesReceived="0" channelBytesSent="0"/>    <error type="Flow" component="SshManager/socketReader" class="WinApi" code="10054" message="An existing connection was forcibly closed by the remote host." description="FlowSocketReader: Error receiving bytes"/>    <sessions ssh="0" sshAuth="0" ftp="0" ftpAuth="0"/>  </event>

Sample Parsing

additional.fields["channelBytesReceived"] = "0"
additional.fields["channelBytesSent"] = "0"
additional.fields["class"] = "WinApi"
additional.fields["code"] = "10054"
additional.fields["component"] = "SshManager/socketReader"
additional.fields["error_type"] = "Flow"
additional.fields["ftp"] = "0"
additional.fields["ftpAuth"] = "0"
additional.fields["socketBytesReceived"] = "0"
additional.fields["socketBytesSent"] = "57"
additional.fields["ssh"] = "0"
additional.fields["sshAuth"] = "0"
metadata.base_labels.allow_scoped_access = true
metadata.base_labels.log_types = "BITVISE_SSHD"
metadata.description = "An existing connection was forcibly closed by the remote host."
metadata.event_timestamp.seconds = 1705940594
metadata.event_timestamp.nanos = 491000000
metadata.event_type = "GENERIC_EVENT"
metadata.product_event_type = "I_SESSION_DISCONNECTED_NORMALLY"
metadata.product_log_id = "179682"
metadata.product_name = "SSHd"
metadata.vendor_name = "Bitvise"
network.application_protocol = "SSH"
network.sent_bytes = 13
network.session_id = "141217"
principal.application = "BvSshServer 8.43"
principal.ip = "10.0.0.1"
principal.port = 56847
security_result.action_details = "Socket"
security_result.description = "FlowSocketReader: Error receiving bytes"
security_result.summary = "Session disconnected normally."