cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Protect backup image from manual delete from nbu and catalog

Go to solution
kkhoo
Level 5

‎07-29-2018 07:23 PM

Hi,

Need your expert advise. In our office, almost all in the team has FULL access in NBU. My concern is if someone has wrongly delete a backup image (under Catalog). Is there a way to prevent this? How to monitor who did what in NBU? Please advise, thanks.

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Anshu_Pathak
Level 5
In response to kkhoo

‎07-30-2018 09:26 PM

With creating admin dir, i dont need to enable auditing right?

Yes, no need to enable ehanced auditing.

According to our Veritas consultant, enabling audit trail requires big disk space and NBU audit affects system performance?

Space consumption will not increase drastically (you may not even notice it) as audit information is stored in NBDB tables and not in flat files. There is no impact on system performance as only user activity is audited and not the backgroud process. There will be no performance impact on backup, restore and other jobs however users (NetBackup admins) may complain of slow response in NetBackup administration console.

I have seen login issues, other user specific issues and some other problems with Enhanced Auditing. I cannot comment if you may or may not face those issues in your environment. Looking at your requirement I would suggest its worth a try, if you dont like it you can always disable it. It is not scary like NBAC, which can potentailly break your environment.

To disable Enhanced Auditing, run "bpnbaz -DisableExAudit" command.

https://www.veritas.com/support/en_US/doc/21733320-127424841-0/v109984188-127424841

Enabling Enhanced Auditing.

https://www.veritas.com/content/support/en_US/doc/21733320-127424841-0/v106286614-127424841

 

View solution in original post

10 REPLIES 10

Go to solution
Anshu_Pathak
Level 5

‎07-29-2018 10:02 PM

 Currently there is no such feature in NetBackup to track/block image exipration for a user. When a backup image is expired from NetBackup console (catalog) it executes "bpexpdate" command in backend, this command gets logged in "<install_path>\netbackup\logs\admin" logs. You can enable this log and create a script to check for "bpexpdate".

NetBackup does monitor other user activity (mainly realted to policies and SLP), you can use "nbauditreport" command to track them.

https://www.veritas.com/support/en_US/doc/15263389-127350397-0/v38711607-127350397

 

 

Go to solution
mph999
Level 6
Employee Accredited

‎07-29-2018 11:37 PM

You can track what  users do if using nbac.

nbac can also restrict what actions a user, or group of users are allowed to carry out.

https://www.veritas.com/content/support/en_US/doc/21733320-127424841-0/v21733659-127424841

Go to solution
Anshu_Pathak
Level 5

‎07-30-2018 12:55 AM

Problem with NBAC is you will get all or nothing permission. So user will not be able to expire any image or can expire all images. Another issue is it does not update NetBackup audit table, so you will not be able to find who expired what. Another good to know thing about NBAC is, soon it will be obsolete.

Closest solution would be to enable "Enhanced Auditing". Please note NBAC and Enhanced Auditing are mutually exclusive features.

With Enahanced Auditing you would be able to track who expired images.

https://www.veritas.com/support/en_US/doc/21733320-127424841-0/v101261421-127424841

Catalogs

bpexpdate, bpcatlist, bpimmedia, bpimagelist, bpverify, and nbdeployutil

Go to solution
kkhoo
Level 5
In response to Anshu_Pathak

‎07-30-2018 07:37 PM

hi,

thanks for your reply. is admin a directory or file?

please advise, thanks.

 

0 Kudos

Go to solution
Anshu_Pathak
Level 5
In response to kkhoo

‎07-30-2018 08:04 PM

It's a directory. It uses legacy logging method, so if folder is not present you have to create it.

C:\Program Files\Veritas\NetBackup\logs\admin>dir
Directory of C:\Program Files\Veritas\NetBackup\logs\admin
07/27/2018 08:03 AM 1,779,887 ALL_ADMINS.072718_00001.log
07/29/2018 11:51 PM 761,479 ALL_ADMINS.072918_00001.log
07/30/2018 10:50 PM 1,549,178 ALL_ADMINS.073018_00001.log

# cd /usr/openv/netbackup/logs/admin
# ls -al
-rw-r--r-- 1 root root 0 Jul 30 23:02 root.073018_00001.log

Go to solution
kkhoo
Level 5
In response to kkhoo

‎07-30-2018 08:07 PM

Hi all,

Thanks for your reply. Please advise if the statement from Veritas consultant is correct?

"Audit trail is disabled due to it requires huge disk space and NBU performance issue."

Is this right?

0 Kudos

Go to solution
kkhoo
Level 5
In response to Anshu_Pathak

‎07-30-2018 08:16 PM

@Anshu_Pathak, thanks.

With creating admin dir, i dont need to enable auditing right?

According to our Veritas consultant, enabling audit trail requires big disk space and NBU audit affects system performance?

Is the statement correct?

thanks!

0 Kudos

Go to solution
Anshu_Pathak
Level 5
In response to kkhoo

‎07-30-2018 09:26 PM

With creating admin dir, i dont need to enable auditing right?

Yes, no need to enable ehanced auditing.

According to our Veritas consultant, enabling audit trail requires big disk space and NBU audit affects system performance?

Space consumption will not increase drastically (you may not even notice it) as audit information is stored in NBDB tables and not in flat files. There is no impact on system performance as only user activity is audited and not the backgroud process. There will be no performance impact on backup, restore and other jobs however users (NetBackup admins) may complain of slow response in NetBackup administration console.

I have seen login issues, other user specific issues and some other problems with Enhanced Auditing. I cannot comment if you may or may not face those issues in your environment. Looking at your requirement I would suggest its worth a try, if you dont like it you can always disable it. It is not scary like NBAC, which can potentailly break your environment.

To disable Enhanced Auditing, run "bpnbaz -DisableExAudit" command.

https://www.veritas.com/support/en_US/doc/21733320-127424841-0/v109984188-127424841

Enabling Enhanced Auditing.

https://www.veritas.com/content/support/en_US/doc/21733320-127424841-0/v106286614-127424841

 

Go to solution
kkhoo
Level 5
In response to Anshu_Pathak

‎07-31-2018 02:08 AM

@Anshu_Pathak, hello again.

Is the admin log size huge?

What can see in these logs?

0 Kudos

Go to solution
Anshu_Pathak
Level 5
In response to kkhoo

‎07-31-2018 02:22 AM

If VERBOSE is set to 0 then it will not be huge and you will the required lines in it.

Example 1: Expired backup image from GUI

admin log snippet.

05:15:05.182 [7468.9264] <2> bpexpdate: INITIATING: NetBackup 8.1.1 created: 2018020320
05:15:05.182 [7468.9264] <2> logparams: -Bidfile C:\Program Files\Veritas\NetBackup\Logs\user_ops\NBMASTER\user1\logs\jbpF4AA.tmp -force -d 0 -M nbmaster -notimmediate

Example 2: Expired using commandline.

admin log snippet.

05:18:47.777 [3580.11020] <2> bpexpdate: INITIATING: NetBackup 8.1.1 created: 2018020320
05:18:47.777 [3580.11020] <2> logparams: -backupid nbclient_1533026925 -d 0

 

0 Kudos