Since data protection has merged with cyber security, it’s critical to know how to configure NetBackup to send its events to the syslog. This is done with the WebUI and CLI procedures below. These procedures have been used and tested at customer sites by our Sales Engineering staff.
Once added to the system logs (syslog), these events become part of the security records of the server operating system records. They are then available for forwarding to other systems, security analysis/reporting, and troubleshooting.
WebUI Procedures
- In the Security events window, click on the “Security events settings” in the top right of the window.
![John_Grovender_0-1715634715427.png John_Grovender_0-1715634715427.png](https://vox.veritas.com/t5/image/serverpage/image-id/15219iDB495347CE5DDAD0/image-dimensions/833x404?v=v2)
- The security events settings window appears. Mark the checkbox for “Send the audit events to the system logs” and then click on the box “Select audit event categories.”
![John_Grovender_1-1715634715430.png John_Grovender_1-1715634715430.png](https://vox.veritas.com/t5/image/serverpage/image-id/15217i8ED481D75AC37105/image-dimensions/830x411?v=v2)
- Select the categories of events desired and click “Save”.
![John_Grovender_2-1715634715433.png John_Grovender_2-1715634715433.png](https://vox.veritas.com/t5/image/serverpage/image-id/15218i03CE1F96120F3297/image-dimensions/609x515?v=v2)
- This updates the bp.conf file with the SYSLOG_AUDIT_CATEGORIES parameter.
CLI Procedures
Add the following line to the primary server bp.conf file. This activates the event forwarding feature:
SYSLOG_AUDIT_CATEGORIES = [categories]
![John_Grovender_3-1715634715435.png John_Grovender_3-1715634715435.png](https://vox.veritas.com/t5/image/serverpage/image-id/15220i6E25F1F8D932A6E0/image-dimensions/547x399?v=v2)
The categories that you select will depend on what you want to be logged. For login and backup policy events, the minimum categories selected will be LOGIN, and POLICY. When selecting more than one category, there needs to be a comma between each category. For example:
SYSLOG_AUDIT_CATEGORIES = LOGIN, POLICY
Here is a list of all categories:
- ALL – All of the below categories are selected
- ALERT - Alert
- ANOMALY - Anomaly
- ANOMALY_EXTENSIONS – Anomaly extensions
- ANOMALY_EXTENSIONS_DETAILS – Anomaly extensions details
- ANOMALY_NEW – Anomaly new
- ANOMALY_RULES_RESULTS – Anomaly rules results
- JOB_STATUS – Job status
- ASSET - Asset
- AUDITCFG – Audit Configuration
- AUDITDB – Audit database
- AUDIT_LOG_FORWARD – Audit log forward
- AUDITSVC – Audit service
- AZFAILURE – Authorization failure
- PAUSED_CLIENTS – Paused Clients
- BMR – Bare Metal Restore
- BPCONF – bp.conf
- CATALOG – Catalog
- CERT – Certificate
- CONFIG – Config
- CONNECTION – Connection
- CREDENTIALS – Credentials
- CREDENTIAL_SCHEMA – Credential schema
- DATAACCESS – Data Access
- DISCOVERY – Discovery
- EVENT_AUDIT – Event audit
- EVENT_LOG – Event log
- ECMS – External CMS Server
- HOLD – Hold
- HOST – Host
- ASSETGROUP – Intelligent group
- IRE – Isolated Recovery Environment
- JOB – Job
- LICENSING – Licensing
- LOGIN – Login
- MALWARE_IMPACTED – Malware Impacted
- MALWARE_SCAN – Malware Scan – NBU v10.4
- MALWARE_SCAN_CONFIGURATION – Malware Scan Configuration - NBU v10.4
- MALWARE_SCAN_STATUS – Malware Scan Status
- MALWARE_SCAN_TRIGGER - Malware Scan Trigger
- POLICY – Policy
- POOL – Pool
- PROTECTION_PLAN_SVC – Protection plan
- RETENTION_LEVEL – Retention Level
- SEC_CONFIG – Security configuration
- SLP – Storage lifecycle policy
- STORAGESRV – Storage server
- STU – Storage unit
- TICKET – Ticket
- TOKEN – Token
- USER – User
Here is an example of how NetBackup events will appear in the operating system logs after performing the procedures above:
![John_Grovender_4-1715634715440.png John_Grovender_4-1715634715440.png](https://vox.veritas.com/t5/image/serverpage/image-id/15221iDF45EC747F2B8C93/image-dimensions/835x122?v=v2)