Veeam and Netwrix monitoring

titanj · Post by **titanj** » Oct 19, 2023 3:17 pm this post

I've got an off-domain backup server running Veeam, and a domain-joined server running Netwrix server monitoring. Netwrix is picking up failed log-in alerts from the off-domain Veeam server, and I am not sure how this is happening. It's definitely not a true interactive log-in from the BDR server that it is picking up, as I cannot manually cause an alert to generate on Netwrix. It appears it is tied to our 6-hour backup job somehow, but there's no local administrator account creds being used there that I've been able to find.

Just wondering if anyone else has seen strange alerts like this while using both Veeam and Netwrix? And if there was a potential answer as to why/how these alerts are generating in the first place.

Oct 20, 2023 9:24 am

Hello,
and welcome to the forums.

I cannot say anything about Netwrix, but where does Netwrix get it's data from? If it's Windows Eventlog, I would start the investigation there.

Best regards,
Hannes

Oct 20, 2023 11:57 am

What particular Netwrix product is this? Most likely it is working based on the DC Event Log and part of your backup infrastructure is in the domain, so some job-related activity is causing the alerts.

titanj · Post by **titanj** » Oct 23, 2023 2:43 pm this post

We are using the Netwrix Auditor, specifically the log-in activity monitoring plan. It does use the DC event logs for the log-in monitoring, I'm just not sure what portion of Veeam would be hitting the DC and triggering a failed login event since the server running Veeam is totally off-domain.

I've looked at the actual events generated on the DC, and it is missing several fields that would help nail this down. The only information it has is that the event source is 'BDR01.my-domain.local', which is puzzling since the BDR server is not domain joined and in a separate workgroup. I've triple checked AD and there is absolutely no entry for this server there. I checked DNS records as well, and there are no entries for that FQDN either. I'm by no means a Veeam master, so I'm not sure where it could be coming from. General support from both vendors was not able to assist, so any points in the right direction are very much appreciated

Post by **HannesK** » Oct 24, 2023 7:36 am this post

Hello,
I guess it's related to application aware processing https://helpcenter.veeam.com/docs/backu ... ml?ver=120 - maybe a wrong password somewhere

. General support from both vendors was not able to assist

what's the Veeam support case number?

Best regards,
Hannes

R&D Forums

Veeam and Netwrix monitoring

Re: Veeam and Netwrix monitoring

Re: Veeam and Netwrix monitoring

Re: Veeam and Netwrix monitoring

Re: Veeam and Netwrix monitoring

Who is online