XRDP Decoder missing?

[Seth Flores]

Hi everyone good day!

i just want to ask if anyone tried to create a decoder for the xrdp? these are the sample logs by the way

Dec 18 01:22:29 kali xrdp[18131]: [INFO ] lib_mod_log_peer: xrdp_pid=18131 connected to X11rdp_pid=2225 X11rdp_uid=1001 X11rdp_gid=1001 client_ip=::ffff:192.168.1.18 client_port=50061

Dec 18 02:12:19 kali xrdp[1944]: [INFO ] Socket 12: AF_INET6 connection received from ::ffff:192.168.1.18 port 50186

Dec 18 02:07:56 kali xrdp-sesman[1930]: [INFO ] AUTHFAIL: user=admin ip=::ffff:192.168.1.18 time=1766023676

Dec 18 02:13:07 kali xrdp[43870]: [INFO ] Non-TLS connection established from ::ffff:192.168.1.18 port 50188: with security level : high

[Md. Nazmur Sakib]

Hi Seth,

I have written some sample decoders based on your log.

Add the new decoder to /var/ossec/etc/decoders/local_decoder.xml to decode the log information.

<decoder name="xrdp">

    <program_name type="osregex">xrdp\.*</program_name>

</decoder>

<decoder name="xrdp_child">

  <parent>xrdp</parent>

  <regex>^\.*[(\.+) ] </regex>

  <order>log_level</order>

</decoder>

<decoder name="xrdp_child">

  <parent>xrdp</parent>

  <regex>^\.*[\.+] (\.+)$</regex>

  <order>log_msg</order>

</decoder>

<decoder name="xrdp_child">

  <parent>xrdp</parent>

  <regex>user=(\.+) </regex>

  <order>user</order>

</decoder>


Restart the Wazuh manager to apply the changes:

systemctl restart wazuh-manager


You can make further changes to your decoder following these documents.
Decoders Syntax
Regular Expression Syntax
Custom decoders

Let me know if you need any further assistance.