Real-time performance monitoring and troubleshooting
Post Reply
martin.r
Lurker
Posts: 2
Liked: 1 time
Joined: Dec 05, 2018 12:34 pm
Full Name: Martin Rauscher
Contact:

Alarm on Encryption Password change

Post by martin.r »

Hello,

so i’m actually working on hardening and securing VBR Servers. So far, i use hardened / immutable Backup Repositories.
I am also using Encryption of the backup files in Job settings.

Now I want to make sure that there is no unauthorized change of encryption password which might result in immutable but not readable backups.
So is there any option to get notified by Veeam One if there is a change on current Encryption Password or another Encryption Password is chosen for a job?

Thanks,
Martin
Mildur
Product Manager
Posts: 8549
Liked: 2223 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Alarm on Encryption Password change

Post by Mildur »

We are using Reports "Job Configuration Change Tracking" and the "Backup Objects Change Tracking" to get all Job and object changes once in a week.
You can send them also on a daily basis. I don't see a dedicated alarm for job change monitoring.

https://helpcenter.veeam.com/docs/one/r ... ml?ver=110
https://helpcenter.veeam.com/docs/one/r ... ml?ver=110
Product Management Analyst @ Veeam Software
nikolaj
Expert
Posts: 164
Liked: 57 times
Joined: Mar 22, 2021 11:19 am
Contact:

Re: Alarm on Encryption Password change

Post by nikolaj »

Hi Martin,

No, this is not possible with any of VONE's alarms at the moment, however, the feature itself is feasible and can be implemented, so thank you for the request.

Thanks.
martin.r
Lurker
Posts: 2
Liked: 1 time
Joined: Dec 05, 2018 12:34 pm
Full Name: Martin Rauscher
Contact:

Re: Alarm on Encryption Password change

Post by martin.r » 1 person likes this post

Hi,
so yes, a report would be an idea or also monitoring of event log entries for encryption password change but i would prefer an immediate information.

Actually i'm checking all eventualities for possible attacks.
So as the repository / files are now immutable and network isolated there is still the option to just change encryption password on VBR Server and all new generated Backups are in case of an issue / attack unusable (sure depending on the dimension of the issue but not complete unrealistic).

So yes, it would be great if that could be implemented to be monitored by Veeam One.
tsmagnum
Novice
Posts: 6
Liked: 5 times
Joined: Feb 26, 2021 7:34 am
Full Name: T.S. Magnum
Contact:

Re: Alarm on Encryption Password change

Post by tsmagnum » 2 people like this post

Hello, I have the same issue with a customer of mine and I found a way to get an email alert when an encryption password is modified, using a script I wrote.

I'm not using Veeam One.

You can download my script here: https://github.com/tsmagnum/Veeam/blob/ ... sAlert.ps1 .
The only configuration needed is the smtp server you want to use, with username and password, recipient(s) and sender.

The event is logged in Windows in "Veeam Backup" log, ID 31700; you can easily attach a task to this event in the event log, using the "Start a program" action to run this script (this will create a scheduled task in Windows Server).

The task should be configured ("Actions" tab) to run

Code: Select all

powershell.exe
with arguments

Code: Select all

-executionpolicy bypass -file C:\<path to your script dir>\New-EncPassAlert.ps1
the task should also be configured to run hidden and whether a user is logged or not (on the "General" tab of the task).

Doing so, you will receive an email containing the logs entry related to the encryption password change, including the server name, the event time and the password modified.

The script is still a bit rough, but it does its job and maybe I'll be able to improve it later.

EDIT: I noticed that you want to be alerted even if someone selects a different encryption password for a tape set/repository. This event unfortunately is not logged in the event log, but I added in the script also the event ID 31600 (encryption password creation). It should be sufficient to attach the script execution to the "Veeam Backup" event ID 31600 too: if someone creates a new encryption password an alert will be fired and you will be able to investigate the issue.

Regards.
tsmagnum
Novice
Posts: 6
Liked: 5 times
Joined: Feb 26, 2021 7:34 am
Full Name: T.S. Magnum
Contact:

Re: Alarm on Encryption Password change

Post by tsmagnum »

Another small edit: I added in the script the event ID 31800 too, in order to monitor password deletion, so your scheduled task in Windows Server should have three triggers: one for event ID 31600, one for 31700, one for 31800.
nikolaj
Expert
Posts: 164
Liked: 57 times
Joined: Mar 22, 2021 11:19 am
Contact:

Re: Alarm on Encryption Password change

Post by nikolaj » 2 people like this post

Thanks for your input, tsmagnum!
We've collected feedback for this feature. I hope the alarm comes along in one of the future releases.
tsmagnum
Novice
Posts: 6
Liked: 5 times
Joined: Feb 26, 2021 7:34 am
Full Name: T.S. Magnum
Contact:

Re: Alarm on Encryption Password change

Post by tsmagnum » 1 person likes this post

Hello,

I have written a PowerShell script to create a report with the encryption passwords age of a VBR server, using the APIs. You can schedule the report and send the results via email.

The script is here: https://github.com/tsmagnum/Veeam/blob/ ... Status.ps1
darren.flatman
Influencer
Posts: 15
Liked: 2 times
Joined: Mar 02, 2022 10:07 am
Full Name: Darren Flatman
Contact:

Re: Alarm on Encryption Password change

Post by darren.flatman »

Can you tell me what event 31800 is for please? Looks like 31600 is created and 31700 is modified?
tsmagnum
Novice
Posts: 6
Liked: 5 times
Joined: Feb 26, 2021 7:34 am
Full Name: T.S. Magnum
Contact:

Re: Alarm on Encryption Password change

Post by tsmagnum »

Hi Darren, 31800 is for password deletion.

Regards
jorgedlcruz
Veeam Software
Posts: 1355
Liked: 613 times
Joined: Jul 17, 2015 6:54 pm
Full Name: Jorge de la Cruz
Contact:

Re: Alarm on Encryption Password change

Post by jorgedlcruz »

Thank you so much guys, this feedback has been really important. We have taken into consideration for future releases.

Appreciated it! Thanks for the GitHub script as well!
Jorge de la Cruz
Senior Product Manager | Veeam ONE @ Veeam Software

@jorgedlcruz
https://www.jorgedelacruz.es / https://jorgedelacruz.uk
vExpert 2014-2024 / InfluxAce / Grafana Champion
Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests