veeam logs and support?

[Kazz]

Hi,

Starting next year, our company policy regarding file transfer services will change. Services like Dropbox, Google Drive, OneDrive, AWS S3, and others will be blocked, with no exceptions.

What does this mean for Veeam support? Will we need to manually select files from the log bundle and share them via email, or will support refuse to assist unless we provide the entire log bundle?

Thank you!

[Gostev]

Hi, our Customer Support is not a part of R&D so this will not be an authoritative answer.

However I don't expect efficient and fast support will be possible without providing the entire log bundle as initial log analysis is fully automated. Honestly it's hard to say how support process will even look like without this first essential step and with individual log files provided one by one on request... each support issue will likely be taking forever to resolve.

But I'm talking technical issues requiring troubleshooting of course, not basic questions about product.

Thanks

[Kazz]

Are there any plans to improve the whole process of log access for Veeam technical support? It's currently at the stone age where we have to manually collect then upload.

Having log analysis automated on your side does not help us, we are wasting at least 10 min every time we need to get a hold of support.

Thanks

[Gostev]

What improvements do you suggest?

Manual log collection is already not required, there's a wizard that collects all required logs automatically for affected jobs and/or backup infrastructure components you select.

[Kazz]

What am I missing?

I still have to open veeam console and navigate to collect logs menu item, then wait 5 min or more (depending on the number of days i am including), once zip file is ready i have to log in to veeam.com and manually upload the zip file to your aws s3 bucket.

What part is automated besides gathering and zipping?

[Kazz]

why can't Veeam write another service that would be running on Veeam BR in a suspended state?
If support needs to access logs we simply start the service and let Veeam support look at our logs on our servers via a tunnel established by the service.
I am sure the development of this is way less than what Veeam spends with Aws to maintain s3 buckets for our logs

[micoolpaul]

Hi @Kazz, a few open questions on how would you foresee this working.

A service that is tunnelling to the internet is a security backdoor, which seems unlikely to be wanted by any security teams.
And as for the logs themselves, if we were to stream these logs via the service, we’d then need to prevent the logs from rotating whilst investigating a problem. To prevent this, we’d need to take a copy and store them somewhere, which is a problem we’ve already solved by you zipping up a copy of your logs and uploading to Veeam Support.

I’m not saying this to discredit the idea, but with these factors considered, how would you see this as an improvement?

If access to cloud storage is blocked by company policy as per OP, would it not make more sense to either have DMZ devices that can have Internet access once the logs have been copied to them, or even just firewall rules that permit the specific FQDN’s we’d use, but the rule in a disabled state, so that security could track when the outgoing traffic was being permitted and for what duration.

[Kazz]

Permissions can be set on the account running the service to have read-only access to all veeam log directories
Veeam support can look at the logs live when customer enables the tunnel. How is it a security backdoor if we aren't opening any ports? Veeam service would establish and maintain a session with your infrastructure so support can look at the logs at their convenience. You already have logic to call home for Veeam usage reporting and licensing.

Our security is perfectly fine with call home being enabled, and letting vetted vendors connect to their respective applications

[FrancWest]

What improvements do you suggest?

Just an idea: would it be possible for the log collection wizard, after asking for the case id, to upload the logs automatically after collection? This way we don’t have to do it manually using the support site.

[Gostev]

Yes, however this does not solve OP's problem because AWS S3 access is getting blocked off completely.

[Gostev]

Veeam support can look at the logs live when customer enables the tunnel. How is it a security backdoor if we aren't opening any ports? Veeam service would establish and maintain a session with your infrastructure so support can look at the logs at their convenience.

I doubt any half-decent security team will agree with you on this one.

[Kazz]

Yes, however this does not solve OP's problem because AWS S3 access is getting blocked off completely.

Support has shared this link, now we just need to convince our secuity to allow SFTP to Veeam's Columbus OH servers
https://www.veeam.com/processing_of_sen ... ort_ds.pdf

Event if we get a green light on sftp, the whole process of collecting and uploading is still archaic and needs to be revamped