forwarding audit/login data to a SIEM system

[pirx]

I found some posts about audit logs and know that there are reports in VeeamOne and Enterprise Manager. Reports are not really feasible for forwarding to a SIEM.

What we need as a start:

- login attempts, successful or failed
- admin tasks, like config changes
- change of admin permissions (add user with admin rights or grant admin permissions)

From what I've found in the forum all (admin) tasks is probably not possible currently. In VBR audit log only restores are logged. Looking at C:\ProgramData\Veeam\Backup\Satellites\ there seems to be a log for every user on a system with a console running. But it seems failed logins are not logged there. I tried a unknown user, no new log was create. With a existing user with permissions and a wrong password nothing was added to the log of this user.

Is there a way to get the basic information about all logins attempts. This is a huge topic now and we somehow need to get this information.

[jorgedlcruz]

Hello,
Yes this has been always a big topic. There is a combination of logs, API, and windows event logs: depending of what you need.

Let me search for a few specific windows event logs regarding login attempts, etc.

With VONE v11a, and moreover in v12, we are exposing all alerts, across all products, on API. So it will become easier to pass that to SIEMs in the future.

Give me some time

[DC-KZH]

We are also looking for a Audit Log forwarding possibility into our SIEM...

[pirx]

@jorgedlcruz

any update on that? I'm still trying to find out how to forward Veeam logs to our SIEM system, what the best way would be.

[bct44]

As long is not supported in Veeam app, you will need an agent on server like nxlog or winlogbeat (if you're using elastic).

[Gostev]

We're looking to add syslog integration in future. For now, check if your SIEM support Windows Event Log as the data source, as if it does then it's all you need to get all Veeam events data into your system.

[pirx]

In Event log is see not all interesting information our security team requested. Information about delete backup, changes to retention times (set to shorter time), "change rate" of job configuration etc. All the steps an attacker would probably take if he gets access to backup environment.

[Gostev]

V12 adds over 90 additional events so hopefully it will close the gap. If something is still missing in V12 do let @Egor Yakovlev know in this thread.

[sschlott]

@Egor Yakovlev
Hello!
Is there a list of the additional events with v12? Customer is looking for login source (IP).
Kind Regards!

[Dima P.]

Hello Sebastian,

You can review the full list of Veeam B&R events in this Help Center article > Veeam Backup & Replication Events and it includes all newly added events. Will that work for your customer? Thank you!

[sschlott]

Thank you Dima!
I am especially looking for login information: username, source, etc.
Where can these be found?

Do we have recommendations for this?

[Dima P.]

If you are referring to console login attempts, it's under General:
Veeam Backup & Replication console has been launched event contains the information about user in the event data field.

More Security events are in this table and Job activities are here.

[sschlott]

I can only find event 40100 Shell login for starting console.

Do you have an example for successful and a denied login?
Customer need to know what exactly is loged.

Thanks!

[Dima P.]

Hello Sebastian,

For success we log:

Code: Select all

...
  - EventID 40100 
...
   Computer %machinename%
...
- EventData 
   %username%
   Veeam Backup & Replication console has been launched. 

When access is denied to the console the following event is created:

Code: Select all

...
  - EventID 1 
...
   Computer  %machinename% 
...
- EventData 
   Alternative log directory setting error : System.UnauthorizedAccessException: Access to the registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication' is denied

[sschlott]

Hello Dima,
Thank you very much!

As far as I understand this is something different from a login, successful or not, this is just the launch of the console.

Where can we find the login attempts? Is it Microsoft events?

[Dima P.]

Sebastian,

Unfortunately there is no dedicated 'user login' event, only console launch.

[sschlott]

Is there something else we could use, maybe in another log file?

Thanks!

[Egor Yakovlev]

There is also a standard 4625 event from source "Microsoft Windows security auditing" in the standard Windows "Security" event log, Task Category: Logon, Keywords: Audit failure.
/Cheers!

p.s. investigating mentioned earlier "access denied" event, as that one should clearly reflect failed logon too...

[sschlott]

Thank you very much!

[chris.childerhose]

Sebastian,

Unfortunately there is no dedicated 'user login' event, only console launch.

Having this from VBR to Syslog would be a great enhancement. This way, everything is contained in one spot, and you do not need to use multiple places to find details. Here's hoping for this in the next 12.X release.

[Egor Yakovlev]

Totally agree, however there are some complications to make this specific event go live within v12.x release cycle, so I am aiming for v13 with it.