Improving Console Log for Security Monitoring and SIEM Ingestion

[hke]

The current log file design for the console (described at https://helpcenter.veeam.com/docs/backu ... ml?ver=110) creates separate log files for each user of the console and is not very easy to parse into a SIEM.

Given the number of ransomware operators targeting Veeam and other backup platforms, we want to monitor our console access very closely. We need a simpler log format to do this. Is syslog an option? Is another way to write a unified log that contains just console login details?

If a user fails to authenticate (bad username or unauthorized), where is that logged?

[HannesK]

Hello,

If a user fails to authenticate (bad username or unauthorized), where is that logged?

You should find that also in the Windows event log. We use Windows authentication.

syslog is possible indirectly: veeam-backup-replication-f2/shipping-to ... 51985.html

Does that help?

Best regards,
Hannes

[hke]

Thank you. I see the 4648 events in the Security event logs. I had been looking in Veeam Backup.evtx.

It would be nice to have a consolidated log in/from Veeam so that we could see the success/failure all in one line (as it stands, you have to find the 4624/4625 to see if the authentication worked), but this will definitely get the job done.

# # # # # # #

A logon was attempted using explicit credentials.

. . .

Account Whose Credentials Were Used:
Account Name: fakename
Account Domain: FAKEDOM
Logon GUID: {00000000-0000-0000-0000-000000000000}

. . .

Process Information:
Process ID: 0x29d0
Process Name: C:\Program Files\Veeam\Backup and Replication\Console\veeam.backup.shell.exe