Comprehensive data protection for all workloads
Post Reply
nick.tan
Influencer
Posts: 15
Liked: never
Joined: Apr 22, 2013 9:17 am
Full Name: Nick Tan
Contact:

Surebackup integration with SIEM

Post by nick.tan »

Is there anyway for surebackup to output a certain log/report to be sent to Security information and event management (SIEM) ?

I understand that there will be a SureBackup mail report, did anyone tried to integrate it with SIEM before?
BrentBPPI
Service Provider
Posts: 43
Liked: 1 time
Joined: Feb 02, 2017 4:11 pm
Full Name: Brent Barnett

[MERGED] Veeam to SIEM

Post by BrentBPPI » 1 person likes this post

Does anyone have Veeam going to their SIEM? If so are you using the API, Events on the servers, or UDLA?
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Surebackup integration with SIEM

Post by Vitaliy S. »

As far as I know, usually Windows Event log is used to post events to SIEM about backup activity. We have events for almost all actions, cases, so this should be a good start.
theta12
Influencer
Posts: 21
Liked: 1 time
Joined: May 24, 2017 1:37 pm
Contact:

Re: Surebackup integration with SIEM

Post by theta12 »

Sorry to drag this back up, but I was just asked about this feature myself due to audit requirements, but not with Sure Backups. We actually want to get the logs shipped off to our SIEM when a RESTORE event happens. I can see in the Windows event logs that event id 210 is registered showing that a restore session has been initiated, but this does not included the details that the history logs show in enterprise manager. I know that I can create an email to be sent when restores occur, but my manager wants this to be sent to the SIEM via event logs so it can be searched and recorded. I don't see any WIndows event logs that show this kind of detail (or I'm just missing it). Does this event live somewhere other than the EM application event logs?
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Surebackup integration with SIEM

Post by Vitaliy S. »

All our events are tracked via Windows Event log. Here is the documented list of what you can expect there. On top of that, while I understand that it is not what you're searching for, but if you have Veeam ONE deployed, then this report might provide a bit more info on the restore operator activity.
theta12
Influencer
Posts: 21
Liked: 1 time
Joined: May 24, 2017 1:37 pm
Contact:

Re: Surebackup integration with SIEM

Post by theta12 » 1 person likes this post

Yes, we're going to have to use the report from Veeam One and have it emailed monthly to our Security Team. It just really would have been much easier to have the details of the restores in the event logs as these automatically get sent to the SIEM. Could we ask for a feature request to get the additional restore details added to the Windows event logs? Basically, the who, what, when, where details of the report?
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Surebackup integration with SIEM

Post by Vitaliy S. »

Sure, you've have just made this request via your post. Thanks!
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Surebackup integration with SIEM

Post by Dima P. »

theta12,

Quick googling shows that SIEM might support SNMP traps. If that true your can configure SureBackup job to send SNMP trap and catch it from SIEM side.
corey.ike
Novice
Posts: 7
Liked: 1 time
Joined: Jul 21, 2014 3:33 pm
Full Name: Corey Ike
Contact:

Re: Surebackup integration with SIEM

Post by corey.ike »

So, as a former Veeam Software Support Engineer turned Windows Server Admin turned Information Security Specialist... I am now suddenly VERY interested in how Veeam B&R could take its HTML reporting details and export them into a CSV or JSON format for our SIEM to digest. Any work on this? I contacted friends who are current Support employees but they're saying its really not an ability. You get Windows Event Logging or you export that HTML report. You learn to parse that HTML or teach yourself the restAPI. There's no real smooth way to get that HTML Reported data into a SIEM like Splunk or LogRythm.
Thank you,
Corey Ike
Veeam Support
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Surebackup integration with SIEM

Post by Vitaliy S. » 1 person likes this post

Hey Corey, sad to see you go ;) but there were no changes since our last replies. Thanks!
corey.ike
Novice
Posts: 7
Liked: 1 time
Joined: Jul 21, 2014 3:33 pm
Full Name: Corey Ike
Contact:

Re: Surebackup integration with SIEM

Post by corey.ike »

Well, I really appreciate the lightening fast update. That means I will post it as a Feature Request. I know the drill! ;)
Thank you!
Thank you,
Corey Ike
Veeam Support
tdewin
Veeam Software
Posts: 1775
Liked: 646 times
Joined: Mar 02, 2012 1:40 pm
Full Name: Timothy Dewin
Contact:

Re: Surebackup integration with SIEM

Post by tdewin »

Have you considered just powershell? Similar to this post376285.html#p376285 for a job, you can also extract a lot of info from the surebackup session (although because it is using dotnet classes directly, it is not really supported or guaranteed to be stable)

for example ($sessions is commented out because it would give you all sessions related to the job)

Code: Select all

asnp veeampssnapin
$job = get-vsbjob -Name "SureBackup Job Webtest"
#$sessions = [Veeam.Backup.Core.SureBackup.CSbSession]::GetByJob($job.Id)
$session = [Veeam.Backup.Core.SureBackup.CSbSession]::FindLastByJob($job.id)
$session.Logger.GetLog().updatedrecords | select updatetime,title
$session.GetTaskSessions() | select name,status,HeartbeatStatus,pingstatus,testscriptstatus,VirusScanStatus | ft
Powershell does have a convertto-json tool. But then this thread should be moved to powershell forum :mrgreen:
tdewin
Veeam Software
Posts: 1775
Liked: 646 times
Joined: Mar 02, 2012 1:40 pm
Full Name: Timothy Dewin
Contact:

Re: Surebackup integration with SIEM

Post by tdewin » 1 person likes this post

Seems that we even have supported cmdlets for this now so you can actually get this working pretty easy. This would create one json for all surebackup jobs

Code: Select all

asnp veeampssnapin

$vsbsessions = Get-VSBSession
$allresults = @()
foreach ($surebackupjob in (get-vsbjob)) {
    $allsessions = ($vsbsessions | ? {$_.jobid -eq $surebackupjob.Id } | Sort-Object -Descending -Property endtimeutc)
    if ($allsessions.count -gt 0) {
        $latestsession = $allsessions[0]
        $resultapps = $latestsession | Get-VSBTaskSession | select name,status,HeartbeatStatus,pingstatus,testscriptstatus,VirusScanStatus 
        $allresults += New-Object -TypeName psobject -ArgumentList @{JobName=$latestsession.jobname;LastResult=$latestsession.Result;LastRun=$latestsession.CreationTimeUTC;AppResult=$resultapps}
    } else {
        write-host ("No sessions for {0}" -f $surebackupjob.name)
        $allresults += New-Object -TypeName psobject -ArgumentList @{JobName=$latestsession.jobname;LastResult="No Session Found";LastRun=(Get-Date -Date "01/01/1970 00:00:00")}
    }
}
$allresults | ConvertTo-Json -Depth 100 | Set-Content -Path C:\mypath\surebackup-report.json
Output should be something like this

Code: Select all

[
    {
        "AppResult":  {
                          "Name":  "mysql",
                          "Status":  4,
                          "HeartbeatStatus":  3,
                          "PingStatus":  3,
                          "TestScriptStatus":  3,
                          "VirusScanStatus":  6
                      },
        "LastResult":  0,
        "LastRun":  "\/Date(1587568260453)\/",
        "JobName":  "Lab MySQL APP Group"
    },
    {
        "AppResult":  [
                          {
                              "Name":  "ad",
                              "Status":  4,
                              "HeartbeatStatus":  3,
                              "PingStatus":  3,
                              "TestScriptStatus":  3,
                              "VirusScanStatus":  7
                          },
                          {
                              "Name":  "mysql",
                              "Status":  4,
                              "HeartbeatStatus":  3,
                              "PingStatus":  3,
                              "TestScriptStatus":  3,
                              "VirusScanStatus":  6
                          }
                      ],
        "LastResult":  0,
        "LastRun":  "\/Date(1587458056603)\/",
        "JobName":  "SureBackup Job Webtest"
    }
]
One thing to notice is that the cmdlet does convert internal enums to ints so here is the mapping for that for tasksessions

Code: Select all

PS C:\Users\Administrator> [System.Enum]::GetValues([Veeam.Backup.Model.CSbTaskSessionInfo+ETestResult]) | % { $_,$_.value__  }
Pending
0
InProgress
2
Success
3
Failed
4
Warning
5
NotRunning
6
Disabled
7
and for job session

Code: Select all

[System.Enum]::GetValues([Veeam.Backup.Model.CBaseSessionInfo+EResult]) | % { $_,$_.value__  }
Success
0
Warning
1
Failed
2
None
-1
Post Reply

Who is online

Users browsing this forum: Brian.Knoblauch and 197 guests