Veeam Enterprise Manager audit log

[Seve CH]

Hello

Traditionally most traceability efforts are focused on data restores or data access, but how about configuration changes?
Think about Active Directory. It is nice to know who logged into a system. It is also nice to know who granted domain administrator to somebody.

I'm trying to figure out when, by whom and how one of the restore profiles in Enterprise Manager was changed. In this case, there is a restore profile assigned to some users and limited to a very specific machine set. It's not a big deal, the outlier VM is related to the others, but somebody added a new VM there and I want to know who and since when is that so.

Yesterday I updated the license (we renewed support) and I also cannot find any trace of it in a user-friendly way.

I've been looking for files here: C:\ProgramData\Veeam\Backup but this is very arcane.

Does Veeam Enterprise Manager keep a trace on who modified things somewhere? Like account management, permissions management, configuration changes, licensing, etc.

Best regards
Seve

[david.domask]

Hi Seve CH,

Unfortunately this is tracked in logging at the moment, but makes sense to consider making this a bit easier. Will discuss this idea internally.

For now, you can review the Svc.VeeamBES.log log and look for likes like below:

[25.10.2024 09:44:52.681] <04> Info (3) Logon as new user LAB\david. Session [s1] #Account Login
[25.10.2024 09:44:52.693] <04> Info (3) Found account. The user is in group [BUILTIN\Administrators]
[25.10.2024 09:44:52.693] <04> Info (3) Found account. Account: Id: [592dfa5a-0784-405a-bfa4-dfe7b265a8ec], Info: [Name: [LAB\david], Type: [User]]

New Account Added:
[25.10.2024 09:44:52.705] <04> Info (3) Info for login user added successfully
[25.10.2024 09:46:06.765] <58> Info (3) Adding RoleAccountGroup. GroupId: [d51122b1-7040-459b-8b1e-70b9b747881a], Account: [backupuser]
[25.10.2024 09:46:09.211] <58> Info (3) Creating RoleAccount. Account: [backupuser], Role: [Portal Administrator]
[25.10.2024 09:46:09.227] <58> Info (3) RoleAccount [bdfeb736-ce86-4254-b27c-a89acc83103e] was created

Role scope being changed -- Note the Session ID in bold
[25.10.2024 09:49:40.225] <14> Info (3) Security scope rebuild session is created. Session ID: "b1f8ba80-056f-42a2-b701-c2f56d8ba315", Timeout: 60 minute(s)
[25.10.2024 09:49:40.225] <14> Info (3) Command line arguments:
[25.10.2024 09:49:40.225] <14> Info (3) C:\Program Files\Veeam\Backup and Replication\Enterprise Manager\Veeam.Backup.Enterprise.SecScopesRebuildJob.exe /sessionId b1f8ba80-056f-42a2-b701-c2f56d8ba315

That ID can be searched in the Util.EM.SecurityScopesRebuild.log log for the details on what was changed, however, these logs can be fairly dense. Veeam Support will be able to assist on these steps also should there be a need to determine which account was used to make such changes.

[Seve CH]

Thanks David for your answer.

I didn't manage to correlate the different logs. It is not that big deal. We will remove the VM from the role's scope and do an internal retraining + awareness on change management

I hope you can improve the central management of such traceability. If the data is going to the DB (I hope so!), it may impact people still using SQL Express (DB storage consumption), but it seems that your roadmap is clearly moving to PostgreSQL, so logging large quantities of stuff there shouldn't be a problem.

My IT security colleagues will be very happy to have that information too. Creating users or modifying existing scopes in Enterprise Manager is a great way to gain persistence on compromised systems or data exfiltration.

Best regards
Seve