Surebackup integration with SIEM

[nick.tan]

Is there anyway for surebackup to output a certain log/report to be sent to Security information and event management (SIEM) ?

I understand that there will be a SureBackup mail report, did anyone tried to integrate it with SIEM before?

[BrentBPPI]

Does anyone have Veeam going to their SIEM? If so are you using the API, Events on the servers, or UDLA?

[Vitaliy S.]

As far as I know, usually Windows Event log is used to post events to SIEM about backup activity. We have events for almost all actions, cases, so this should be a good start.

[theta12]

Sorry to drag this back up, but I was just asked about this feature myself due to audit requirements, but not with Sure Backups. We actually want to get the logs shipped off to our SIEM when a RESTORE event happens. I can see in the Windows event logs that event id 210 is registered showing that a restore session has been initiated, but this does not included the details that the history logs show in enterprise manager. I know that I can create an email to be sent when restores occur, but my manager wants this to be sent to the SIEM via event logs so it can be searched and recorded. I don't see any WIndows event logs that show this kind of detail (or I'm just missing it). Does this event live somewhere other than the EM application event logs?

[Vitaliy S.]

All our events are tracked via Windows Event log. Here is the documented list of what you can expect there. On top of that, while I understand that it is not what you're searching for, but if you have Veeam ONE deployed, then this report might provide a bit more info on the restore operator activity.

[theta12]

Yes, we're going to have to use the report from Veeam One and have it emailed monthly to our Security Team. It just really would have been much easier to have the details of the restores in the event logs as these automatically get sent to the SIEM. Could we ask for a feature request to get the additional restore details added to the Windows event logs? Basically, the who, what, when, where details of the report?

[Vitaliy S.]

Sure, you've have just made this request via your post. Thanks!

[Dima P.]

theta12,

Quick googling shows that SIEM might support SNMP traps. If that true your can configure SureBackup job to send SNMP trap and catch it from SIEM side.

[corey.ike]

So, as a former Veeam Software Support Engineer turned Windows Server Admin turned Information Security Specialist... I am now suddenly VERY interested in how Veeam B&R could take its HTML reporting details and export them into a CSV or JSON format for our SIEM to digest. Any work on this? I contacted friends who are current Support employees but they're saying its really not an ability. You get Windows Event Logging or you export that HTML report. You learn to parse that HTML or teach yourself the restAPI. There's no real smooth way to get that HTML Reported data into a SIEM like Splunk or LogRythm.

[Vitaliy S.]

Hey Corey, sad to see you go but there were no changes since our last replies. Thanks!

[corey.ike]

Well, I really appreciate the lightening fast update. That means I will post it as a Feature Request. I know the drill!
Thank you!

[tdewin]

Have you considered just powershell? Similar to this post376285.html#p376285 for a job, you can also extract a lot of info from the surebackup session (although because it is using dotnet classes directly, it is not really supported or guaranteed to be stable)

for example ($sessions is commented out because it would give you all sessions related to the job)

Code: Select all

asnp veeampssnapin
$job = get-vsbjob -Name "SureBackup Job Webtest"
#$sessions = [Veeam.Backup.Core.SureBackup.CSbSession]::GetByJob($job.Id)
$session = [Veeam.Backup.Core.SureBackup.CSbSession]::FindLastByJob($job.id)
$session.Logger.GetLog().updatedrecords | select updatetime,title
$session.GetTaskSessions() | select name,status,HeartbeatStatus,pingstatus,testscriptstatus,VirusScanStatus | ft

Powershell does have a convertto-json tool. But then this thread should be moved to powershell forum

[tdewin]

Seems that we even have supported cmdlets for this now so you can actually get this working pretty easy. This would create one json for all surebackup jobs

Code: Select all

asnp veeampssnapin

$vsbsessions = Get-VSBSession
$allresults = @()
foreach ($surebackupjob in (get-vsbjob)) {
    $allsessions = ($vsbsessions | ? {$_.jobid -eq $surebackupjob.Id } | Sort-Object -Descending -Property endtimeutc)
    if ($allsessions.count -gt 0) {
        $latestsession = $allsessions[0]
        $resultapps = $latestsession | Get-VSBTaskSession | select name,status,HeartbeatStatus,pingstatus,testscriptstatus,VirusScanStatus 
        $allresults += New-Object -TypeName psobject -ArgumentList @{JobName=$latestsession.jobname;LastResult=$latestsession.Result;LastRun=$latestsession.CreationTimeUTC;AppResult=$resultapps}
    } else {
        write-host ("No sessions for {0}" -f $surebackupjob.name)
        $allresults += New-Object -TypeName psobject -ArgumentList @{JobName=$latestsession.jobname;LastResult="No Session Found";LastRun=(Get-Date -Date "01/01/1970 00:00:00")}
    }
}
$allresults | ConvertTo-Json -Depth 100 | Set-Content -Path C:\mypath\surebackup-report.json

Output should be something like this

Code: Select all

[
    {
        "AppResult":  {
                          "Name":  "mysql",
                          "Status":  4,
                          "HeartbeatStatus":  3,
                          "PingStatus":  3,
                          "TestScriptStatus":  3,
                          "VirusScanStatus":  6
                      },
        "LastResult":  0,
        "LastRun":  "\/Date(1587568260453)\/",
        "JobName":  "Lab MySQL APP Group"
    },
    {
        "AppResult":  [
                          {
                              "Name":  "ad",
                              "Status":  4,
                              "HeartbeatStatus":  3,
                              "PingStatus":  3,
                              "TestScriptStatus":  3,
                              "VirusScanStatus":  7
                          },
                          {
                              "Name":  "mysql",
                              "Status":  4,
                              "HeartbeatStatus":  3,
                              "PingStatus":  3,
                              "TestScriptStatus":  3,
                              "VirusScanStatus":  6
                          }
                      ],
        "LastResult":  0,
        "LastRun":  "\/Date(1587458056603)\/",
        "JobName":  "SureBackup Job Webtest"
    }
]

One thing to notice is that the cmdlet does convert internal enums to ints so here is the mapping for that for tasksessions

Code: Select all

PS C:\Users\Administrator> [System.Enum]::GetValues([Veeam.Backup.Model.CSbTaskSessionInfo+ETestResult]) | % { $_,$_.value__  }
Pending
0
InProgress
2
Success
3
Failed
4
Warning
5
NotRunning
6
Disabled
7

and for job session

Code: Select all

[System.Enum]::GetValues([Veeam.Backup.Model.CBaseSessionInfo+EResult]) | % { $_,$_.value__  }
Success
0
Warning
1
Failed
2
None
-1