Comprehensive data protection for all workloads
Post Reply
pirx
Veteran
Posts: 599
Liked: 87 times
Joined: Dec 20, 2015 6:24 pm
Contact:

forwarding audit/login data to a SIEM system

Post by pirx »

I found some posts about audit logs and know that there are reports in VeeamOne and Enterprise Manager. Reports are not really feasible for forwarding to a SIEM.

What we need as a start:

- login attempts, successful or failed
- admin tasks, like config changes
- change of admin permissions (add user with admin rights or grant admin permissions)

From what I've found in the forum all (admin) tasks is probably not possible currently. In VBR audit log only restores are logged. Looking at C:\ProgramData\Veeam\Backup\Satellites\ there seems to be a log for every user on a system with a console running. But it seems failed logins are not logged there. I tried a unknown user, no new log was create. With a existing user with permissions and a wrong password nothing was added to the log of this user.

Is there a way to get the basic information about all logins attempts. This is a huge topic now and we somehow need to get this information.
jorgedlcruz
Veeam Software
Posts: 1494
Liked: 655 times
Joined: Jul 17, 2015 6:54 pm
Full Name: Jorge de la Cruz
Contact:

Re: forwarding audit/login data to a SIEM system

Post by jorgedlcruz » 1 person likes this post

Hello,
Yes this has been always a big topic. There is a combination of logs, API, and windows event logs: depending of what you need.

Let me search for a few specific windows event logs regarding login attempts, etc.

With VONE v11a, and moreover in v12, we are exposing all alerts, across all products, on API. So it will become easier to pass that to SIEMs in the future.

Give me some time
Jorge de la Cruz
Senior Product Manager | Veeam ONE @ Veeam Software

@jorgedlcruz
https://www.jorgedelacruz.es / https://jorgedelacruz.uk
vExpert 2014-2024 / InfluxAce / Grafana Champion
DC-KZH
Lurker
Posts: 1
Liked: never
Joined: Aug 23, 2022 8:29 am
Full Name: DataCenter-KZH
Contact:

Re: forwarding audit/login data to a SIEM system

Post by DC-KZH »

We are also looking for a Audit Log forwarding possibility into our SIEM...
pirx
Veteran
Posts: 599
Liked: 87 times
Joined: Dec 20, 2015 6:24 pm
Contact:

Re: forwarding audit/login data to a SIEM system

Post by pirx »

@jorgedlcruz

any update on that? I'm still trying to find out how to forward Veeam logs to our SIEM system, what the best way would be.
bct44
Veeam Software
Posts: 144
Liked: 38 times
Joined: Jul 28, 2022 12:57 pm
Contact:

Re: forwarding audit/login data to a SIEM system

Post by bct44 »

As long is not supported in Veeam app, you will need an agent on server like nxlog or winlogbeat (if you're using elastic).
Bertrand / TAM EMEA
Gostev
Chief Product Officer
Posts: 31814
Liked: 7302 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: forwarding audit/login data to a SIEM system

Post by Gostev »

We're looking to add syslog integration in future. For now, check if your SIEM support Windows Event Log as the data source, as if it does then it's all you need to get all Veeam events data into your system.
pirx
Veteran
Posts: 599
Liked: 87 times
Joined: Dec 20, 2015 6:24 pm
Contact:

Re: forwarding audit/login data to a SIEM system

Post by pirx »

In Event log is see not all interesting information our security team requested. Information about delete backup, changes to retention times (set to shorter time), "change rate" of job configuration etc. All the steps an attacker would probably take if he gets access to backup environment.
Gostev
Chief Product Officer
Posts: 31814
Liked: 7302 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: forwarding audit/login data to a SIEM system

Post by Gostev »

V12 adds over 90 additional events so hopefully it will close the gap. If something is still missing in V12 do let @Egor Yakovlev know in this thread.
sschlott
Veeam Software
Posts: 78
Liked: 10 times
Joined: Jan 05, 2023 2:19 pm
Full Name: Sebastian Schlott
Contact:

Re: forwarding audit/login data to a SIEM system

Post by sschlott »

@Egor Yakovlev
Hello!
Is there a list of the additional events with v12? Customer is looking for login source (IP).
Kind Regards!
Dima P.
Product Manager
Posts: 14726
Liked: 1706 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: forwarding audit/login data to a SIEM system

Post by Dima P. »

Hello Sebastian,

You can review the full list of Veeam B&R events in this Help Center article > Veeam Backup & Replication Events and it includes all newly added events. Will that work for your customer? Thank you!
sschlott
Veeam Software
Posts: 78
Liked: 10 times
Joined: Jan 05, 2023 2:19 pm
Full Name: Sebastian Schlott
Contact:

Re: forwarding audit/login data to a SIEM system

Post by sschlott »

Thank you Dima!
I am especially looking for login information: username, source, etc.
Where can these be found?

Do we have recommendations for this?
Dima P.
Product Manager
Posts: 14726
Liked: 1706 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: forwarding audit/login data to a SIEM system

Post by Dima P. »

If you are referring to console login attempts, it's under General:
Veeam Backup & Replication console has been launched event contains the information about user in the event data field.

More Security events are in this table and Job activities are here.
sschlott
Veeam Software
Posts: 78
Liked: 10 times
Joined: Jan 05, 2023 2:19 pm
Full Name: Sebastian Schlott
Contact:

Re: forwarding audit/login data to a SIEM system

Post by sschlott »

I can only find event 40100 Shell login for starting console.

Do you have an example for successful and a denied login?
Customer need to know what exactly is loged.

Thanks!
Dima P.
Product Manager
Posts: 14726
Liked: 1706 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: forwarding audit/login data to a SIEM system

Post by Dima P. »

Hello Sebastian,

For success we log:

Code: Select all

...
  - EventID 40100 
...
   Computer %machinename%
...
- EventData 
   %username%
   Veeam Backup & Replication console has been launched. 
When access is denied to the console the following event is created:

Code: Select all

...
  - EventID 1 
...
   Computer  %machinename% 
...
- EventData 
   Alternative log directory setting error : System.UnauthorizedAccessException: Access to the registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication' is denied
sschlott
Veeam Software
Posts: 78
Liked: 10 times
Joined: Jan 05, 2023 2:19 pm
Full Name: Sebastian Schlott
Contact:

Re: forwarding audit/login data to a SIEM system

Post by sschlott »

Hello Dima,
Thank you very much!

As far as I understand this is something different from a login, successful or not, this is just the launch of the console.

Where can we find the login attempts? Is it Microsoft events?
Dima P.
Product Manager
Posts: 14726
Liked: 1706 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: forwarding audit/login data to a SIEM system

Post by Dima P. » 2 people like this post

Sebastian,

Unfortunately there is no dedicated 'user login' event, only console launch.
sschlott
Veeam Software
Posts: 78
Liked: 10 times
Joined: Jan 05, 2023 2:19 pm
Full Name: Sebastian Schlott
Contact:

Re: forwarding audit/login data to a SIEM system

Post by sschlott »

Is there something else we could use, maybe in another log file?

Thanks!
Egor Yakovlev
Product Manager
Posts: 2581
Liked: 708 times
Joined: Jun 14, 2013 9:30 am
Full Name: Egor Yakovlev
Location: Prague, Czech Republic
Contact:

Re: forwarding audit/login data to a SIEM system

Post by Egor Yakovlev »

There is also a standard 4625 event from source "Microsoft Windows security auditing" in the standard Windows "Security" event log, Task Category: Logon, Keywords: Audit failure.
/Cheers!

p.s. investigating mentioned earlier "access denied" event, as that one should clearly reflect failed logon too...
sschlott
Veeam Software
Posts: 78
Liked: 10 times
Joined: Jan 05, 2023 2:19 pm
Full Name: Sebastian Schlott
Contact:

Re: forwarding audit/login data to a SIEM system

Post by sschlott »

Thank you very much!
chris.childerhose
Veeam Vanguard
Posts: 636
Liked: 154 times
Joined: Aug 13, 2014 6:03 pm
Full Name: Chris Childerhose
Location: Toronto, ON
Contact:

Re: forwarding audit/login data to a SIEM system

Post by chris.childerhose »

Dima P. wrote: Feb 24, 2023 9:17 pm Sebastian,

Unfortunately there is no dedicated 'user login' event, only console launch.
Having this from VBR to Syslog would be a great enhancement. This way, everything is contained in one spot, and you do not need to use multiple places to find details. Here's hoping for this in the next 12.X release.
-----------------------
Chris Childerhose
Veeam Vanguard / Veeam Legend / Veeam Ceritified Architect / VMCE
vExpert / VCAP-DCA / VCP8 / MCITP
Personal blog: https://just-virtualization.tech
Twitter: @cchilderhose
Egor Yakovlev
Product Manager
Posts: 2581
Liked: 708 times
Joined: Jun 14, 2013 9:30 am
Full Name: Egor Yakovlev
Location: Prague, Czech Republic
Contact:

Re: forwarding audit/login data to a SIEM system

Post by Egor Yakovlev » 2 people like this post

Totally agree, however there are some complications to make this specific event go live within v12.x release cycle, so I am aiming for v13 with it.
Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 57 guests