Audit Trail | Tracking and Compliance - ServiceNow, Splunk integration

[mogan2055847]

Hello,

Audit trail tracking is mandatory for us, not refer to job status, but more specific to keep track details, for example, someone perform an Active Directory attributes application item recovery from Veeam console to the production Domain Controller, we need an audit trial to track information like (change was initiate from Veaam server, who trigger the restore, what attributes\object being restore, restore time etc...). Then, all these audit trail details can be integrated with ServiceNow, or Splunk.

It this possible? We couldn't find any guide related to audit trail tracking that integration with ServiceNow or Splunk.

Thank you in advance.

[Mildur]

Hi Mogansundram

Audit reports are a feature from our Monitoring tool Veeam One.
https://helpcenter.veeam.com/docs/one/r ... ml?ver=120
https://helpcenter.veeam.com/docs/one/r ... ml?ver=120

I let the VeeamOne team answer if more granular audits are planned or not.

Best,
Fabian

[RomanK]

Hello Mogansundram,

You may find the Veeam Backup & Replication audit log on the Security tab.
The low-level audit events can be found in the "Veeam Backup" windows event log.
Veeam ONE audit logs recorded in the "Veeam ONE" windows event log.

I believe no additional integration from the Veeam side is required to monitor the event logs.

If you are also interested in high-level audits, check the reports Mildur already mentioned plus Backup Objects Change Tracking, Job Configuration Change Tracking,
or Infrastructure Changes Audit for vSphere.

Thanks

[mogan2055847]

Hello Midur, Roman,

Does VeeamOne monitor or reporting able to show more granular details, for example, if i performed AD attributes application item recovery from Veeam target track o the production Domain Controller, it can provide audit track details like restore initiated from Veaam server, who trigger the restore, more importantly - show which specific attributes being restore, restore time etc ?

Secondly, if above can be accomplished, does VBR12 or VeeamOne support integration with ServiceNow, Splunk? We need to send these audit trail tracking details mention above to ServiceNow, Splunk.

Thank you in advance.

[jorgedlcruz]

Hello,
Yes, the Report you are looking for is the one Mildur shared https://helpcenter.veeam.com/docs/one/r ... ml?ver=120
And yes again, this report include granular details of what you have done, including Active Directory, take a look at my test:


You can configure these Reports to be send over email, in PDF, CSV, or Excel format.

If you want an official notification to ServiceNow, you will need to wait for upcoming Release.

Unoficial and unsupported
You can grab the alert called Restore Activity - https://helpcenter.veeam.com/docs/one/m ... ml?ver=120 and send it using a PowerShell command to either SNOW or Splunk, example.

Future
We are currently working on how to query Reports on the API, but so far today that is not available.

Workaround, still Unoficial and unsupported
Workaround to take Report data to PowerShell, and from there to whatever you want. As simple as taking this code. What this code does, is it logins to VONE SQL, it uses windows auth, make sure your DB is correct, and your instance. It then runs the same storedprocedure we use for the report:

Code: Select all

# Specify the SQL Server and database
$SQLServer = "VEEAMONE\VEEAMSQL2017" 
$SQLDBName = "VEEAMONE"

# Build the connection string
$ConnectionString = "Server = $SQLServer; Database = $SQLDBName; Integrated Security = True;"

# Instantiate a new SQL Connection
$SqlConnection = New-Object System.Data.SqlClient.SqlConnection
$SqlConnection.ConnectionString = $ConnectionString

# Instantiate a new SQL Command
$SqlCmd = New-Object System.Data.SqlClient.SqlCommand
$SqlCmd.Connection = $SqlConnection

# Define the Stored Procedure and Parameters (You can use PeriodType cday, cweek, cmonth, cyear, pday, pweek, pmonth)
$SqlCmd.CommandType = [System.Data.CommandType]::StoredProcedure
$SqlCmd.CommandText = "[reportpack].[rsrp_Backup_RestoreOperatorActivity]"
$SqlCmd.Parameters.AddWithValue("@PeriodType", "cday")

# Open SQL Connection and execute the command
$SqlConnection.Open()
$SqlAdapter = New-Object System.Data.SqlClient.SqlDataAdapter $SqlCmd
$DataSet = New-Object System.Data.DataSet
$SqlAdapter.Fill($DataSet)
$SqlConnection.Close()

# Filter the results where row_id = 0
$FilteredData = $DataSet.Tables[0] | Where-Object { $_.row_id -eq 0 }

# Display the result
$FilteredData | Format-Table

# Exports to JSON/CSV
$FilteredData | ConvertTo-Json | Set-Content -Path "$PSScriptRoot\RestoreOperatorActivity.json"
$FilteredData | Export-Csv -Path "$PSScriptRoot\RestoreOperatorActivity.csv" -NoTypeInformation

That code of course you can adjust to send the data instead of JSON, or CSV, to your application. Not supported officially use it at your own risk. It will look like this the exports:
CSV


JSON