Parsing Bitvise Logs for Analysis

The use of Secure Shell Protocol (SSH) in a network is can provide significant capabilities. It specifically enables a person to connect to a system via an encrypted shell, authenticate, and interact with a system. For this to happen, however, systems acting as clients need to have an SSH client, allowing the system to initiate an SSH connection. Those systems acting as servers will need to have software that allows them to be SSH servers. In a UNIX environment, both a client and server, are part of the standard build. Generally, Windows environments, specifically Windows 10, include an SSH client but no version includes an SSH server. There is, however, third-party SSH software to enables Windows systems to be an SSH server.

With the aforementioned said, I recently found myself on a Windows system that was operating as an SSH server. Specifically, it was running Bitvise SSH. Additionally, the system was on the Internet and there was no shortage of entities trying to brute force the machine. Fortunately, for me, there were logs available.

The logs, by default, can be found at “%SystemDrive%\program files\Bitvise SSH Server\logs”. Within the directory, the log will write until it reaches 10MB, and then it will start a new log in the same directory. The logs are in textual XML format and can be viewed with any text editor. Unfortunately, as is, that is not analyst-friendly when trying to gain an understanding of a situation. This is where I got the idea to create a parser for the logs.

The parser transforms the data into a digestible format for an analyst to be able to more quickly comb through them, ultimately making their job easier.

The parser can be found here.