How to Enable Security Events to be Sent to the System Logs Using the WebUI and CLI
Since data protection has merged with cyber security, it’s critical to know how to configure NetBackup to send its events to the syslog. This is done with the WebUI and CLI procedures below. These procedures have been used and tested at customer sites by our Sales Engineering staff.
Once added to the system logs (syslog), these events become part of the security records of the server operating system records. They are then available for forwarding to other systems, security analysis/reporting, and troubleshooting.
WebUI Procedures
- In the Security events window, click on the “Security events settings” in the top right of the window.
- The security events settings window appears. Mark the checkbox for “Send the audit events to the system logs” and then click on the box “Select audit event categories.”
- Select the categories of events desired and click “Save”.
- This updates the bp.conf file with the SYSLOG_AUDIT_CATEGORIES parameter.
CLI Procedures
Add the following line to the primary server bp.conf file. This activates the event forwarding feature:
SYSLOG_AUDIT_CATEGORIES = [categories]
The categories that you select will depend on what you want to be logged. For login and backup policy events, the minimum categories selected will be LOGIN, and POLICY. When selecting more than one category, there needs to be a comma between each category. For example:
SYSLOG_AUDIT_CATEGORIES = LOGIN, POLICY
Here is a list of all categories:
- ALL – All of the below categories are selected
- ALERT - Alert
- ANOMALY - Anomaly
- ANOMALY_EXTENSIONS – Anomaly extensions
- ANOMALY_EXTENSIONS_DETAILS – Anomaly extensions details
- ANOMALY_NEW – Anomaly new
- ANOMALY_RULES_RESULTS – Anomaly rules results
- JOB_STATUS – Job status
- ASSET - Asset
- AUDITCFG – Audit Configuration
- AUDITDB – Audit database
- AUDIT_LOG_FORWARD – Audit log forward
- AUDITSVC – Audit service
- AZFAILURE – Authorization failure
- PAUSED_CLIENTS – Paused Clients
- BMR – Bare Metal Restore
- BPCONF – bp.conf
- CATALOG – Catalog
- CERT – Certificate
- CONFIG – Config
- CONNECTION – Connection
- CREDENTIALS – Credentials
- CREDENTIAL_SCHEMA – Credential schema
- DATAACCESS – Data Access
- DISCOVERY – Discovery
- EVENT_AUDIT – Event audit
- EVENT_LOG – Event log
- ECMS – External CMS Server
- HOLD – Hold
- HOST – Host
- ASSETGROUP – Intelligent group
- IRE – Isolated Recovery Environment
- JOB – Job
- LICENSING – Licensing
- LOGIN – Login
- MALWARE_IMPACTED – Malware Impacted
- MALWARE_SCAN – Malware Scan – NBU v10.4
- MALWARE_SCAN_CONFIGURATION – Malware Scan Configuration - NBU v10.4
- MALWARE_SCAN_STATUS – Malware Scan Status
- MALWARE_SCAN_TRIGGER - Malware Scan Trigger
- POLICY – Policy
- POOL – Pool
- PROTECTION_PLAN_SVC – Protection plan
- RETENTION_LEVEL – Retention Level
- SEC_CONFIG – Security configuration
- SLP – Storage lifecycle policy
- STORAGESRV – Storage server
- STU – Storage unit
- TICKET – Ticket
- TOKEN – Token
- USER – User
Here is an example of how NetBackup events will appear in the operating system logs after performing the procedures above:
