Alarm on Encryption Password change

[martin.r]

Hello,

so i’m actually working on hardening and securing VBR Servers. So far, i use hardened / immutable Backup Repositories.
I am also using Encryption of the backup files in Job settings.

Now I want to make sure that there is no unauthorized change of encryption password which might result in immutable but not readable backups.
So is there any option to get notified by Veeam One if there is a change on current Encryption Password or another Encryption Password is chosen for a job?

Thanks,
Martin

[Mildur]

We are using Reports "Job Configuration Change Tracking" and the "Backup Objects Change Tracking" to get all Job and object changes once in a week.
You can send them also on a daily basis. I don't see a dedicated alarm for job change monitoring.

https://helpcenter.veeam.com/docs/one/r ... ml?ver=110
https://helpcenter.veeam.com/docs/one/r ... ml?ver=110

[nikolaj]

Hi Martin,

No, this is not possible with any of VONE's alarms at the moment, however, the feature itself is feasible and can be implemented, so thank you for the request.

Thanks.

[martin.r]

Hi,
so yes, a report would be an idea or also monitoring of event log entries for encryption password change but i would prefer an immediate information.

Actually i'm checking all eventualities for possible attacks.
So as the repository / files are now immutable and network isolated there is still the option to just change encryption password on VBR Server and all new generated Backups are in case of an issue / attack unusable (sure depending on the dimension of the issue but not complete unrealistic).

So yes, it would be great if that could be implemented to be monitored by Veeam One.

[tsmagnum]

Hello, I have the same issue with a customer of mine and I found a way to get an email alert when an encryption password is modified, using a script I wrote.

I'm not using Veeam One.

You can download my script here: https://github.com/tsmagnum/Veeam/blob/ ... sAlert.ps1 .
The only configuration needed is the smtp server you want to use, with username and password, recipient(s) and sender.

The event is logged in Windows in "Veeam Backup" log, ID 31700; you can easily attach a task to this event in the event log, using the "Start a program" action to run this script (this will create a scheduled task in Windows Server).

The task should be configured ("Actions" tab) to run

Code: Select all

powershell.exe

with arguments

Code: Select all

-executionpolicy bypass -file C:\<path to your script dir>\New-EncPassAlert.ps1

the task should also be configured to run hidden and whether a user is logged or not (on the "General" tab of the task).

Doing so, you will receive an email containing the logs entry related to the encryption password change, including the server name, the event time and the password modified.

The script is still a bit rough, but it does its job and maybe I'll be able to improve it later.

EDIT: I noticed that you want to be alerted even if someone selects a different encryption password for a tape set/repository. This event unfortunately is not logged in the event log, but I added in the script also the event ID 31600 (encryption password creation). It should be sufficient to attach the script execution to the "Veeam Backup" event ID 31600 too: if someone creates a new encryption password an alert will be fired and you will be able to investigate the issue.

Regards.

[tsmagnum]

Another small edit: I added in the script the event ID 31800 too, in order to monitor password deletion, so your scheduled task in Windows Server should have three triggers: one for event ID 31600, one for 31700, one for 31800.

[nikolaj]

Thanks for your input, tsmagnum!
We've collected feedback for this feature. I hope the alarm comes along in one of the future releases.

[tsmagnum]

Hello,

I have written a PowerShell script to create a report with the encryption passwords age of a VBR server, using the APIs. You can schedule the report and send the results via email.

The script is here: https://github.com/tsmagnum/Veeam/blob/ ... Status.ps1

[darren.flatman]

Can you tell me what event 31800 is for please? Looks like 31600 is created and 31700 is modified?

[tsmagnum]

Hi Darren, 31800 is for password deletion.

Regards

[jorgedlcruz]

Thank you so much guys, this feedback has been really important. We have taken into consideration for future releases.

Appreciated it! Thanks for the GitHub script as well!