Showing results for 
Search instead for 
Did you mean: 

Take Full Advantage of NetBackup and Syslog Forwarding - SIEM and SOAR

Level 3


According to a survey conducted by Splunk, as many as 67% of organizations are investing in both SIEM (Security information and event management) and as much as 88% are investing in SOAR (Security Orchestration Automation & Response) platforms, sometimes also including XDR (eXternal Detection and Response) platforms, many of which are cloud-based.  NetBackup can integrate with these tools in a simple universal method.  NetBackup audit messages include sever new audit categories and are consistently formatted to be consumed by 3rd party tools using APIs, CLIs or being captured from operating system messages logs.  This audit capturing mechanism aligns with the Executive Orders (EOs) guidance on Event Logging (EL), enabling a reliable method of compliance.

Ensure that you have selected to export the audit messages to the system logs.  This is easily enabled under the Security > Security Events area of the NetBackup WebUI (see figure 1).  By default, this feature is not enabled, and once enabled, there are no default messages until the next audit event. 


Figure 1: Enabling audit events exported to the system log of the primary server

NetBackup can always manually export the audit events using the nbauditreport command on the Primary server, but leveraging the export allows for automation.  NetBackup audit messages are categorized (see Figure 2).  The audit messages that are exported can further be customized by category, opening up a wide array of possibilities for integrations with both SIEM and SOAR platforms with different triggers for each category, as well as removing categories that you do not wish to export.  The primary consumer of this data would normally be a SIEM platform, in order to perform analytics, generate alerts and often provide further analysis in the form of reports.  SOAR actions can follow triggers from the SIEM platform, or trigger directly from certain event patterns, in some cases, according to your level of customization in the SIEM and SOAR platforms.

Below is the complete list of NetBackup audit event categories, with their readable name next to the category tag in parentheses. Several new categories have been added to NetBackup auditing. 


Alert (ALERT)

Config (CONFIG)

Malware impacted (MALWARE_IMPACTED)

Anomaly (ANOMALY)

Connection (CONNECTION)

Malware Scan Status (MALWARE_SCAN_STATUS)

Anomaly New (ANOMALY_NEW)

Credential (CREDENTIALS)

Malware Scan Trigger (MALWARE_SCAN_TRIGGER)

Asset (ASSET)

Credential Schema (CREDENTIAL_SCHEMA)

Policy (POLICY)

Audit configuration (AUDITCFG)

Data access (DATAACCESS)

Pool (POOL)

Audit database (AUDITDB)

Discovery (DISCOVERY)


Audit service (AUDITSVC)

Event log (EVENT_LOG)

Retention Level (RETENTION_LEVEL)

Authorization failure (AZFAILURE)

Hold (HOLD)

Security configuration (SEC_CONFIG)

Paused clients (PAUSED_CLIENTS)

Host (HOST)

Storage Lifecycle Policy (SLP)

Bare Metal Restore (BMR)

Intelligent group (ASSETGROUP)

Storage server (STORAGESRV)

Bp.conf (BPCONF)

Job (JOB)

Storage units (STU)

Catalog (CATALOG)

Licensing (LICENSING)

Token (TOKEN)

Certificate (CERT)

Login (LOGIN)

User (USER)

Figure 2: A list of all audit categories available for export customization for NetBackup 10.1


Observe an example from the ANOMALY_NEW message in the Linux system log in Figure 3:

{Month} ## HH:MM:SS {host name} nbaudit: DESCRIPTION: Anomaly detected on client ‘{client name}’ with job ID ‘#’, backup ID ‘{backupid}’ and severity ‘LOW’. | USER: nb-service-user@host | CATEGORY: ANOMALY_NEW | ACTION: CREATE | REASON:   | DETAILS: 0 attribute(s)

Figure 3: An example audit message in the Linux system log


For Windows platforms, the messages will be in the Application Event Viewer in Figure 4:


Figure 4: An example audit message in the Windows Event Viewer


The category is aligned with one of the selectable areas to export to the system logs, allowing flexible deployment to focus on the most important areas.  Different categories will have varying levels of information, especially in the Details section, but the formatting will be consistent with sections delimited by the “|” (pipe) character and always originate from the nbaudit (NetBackup Audit Manager) process.   With these messages, SIEM platforms can collect, categorize, trigger and alert according to your organizations needs and business processes.   Actions taken to change the protection status of a NetBackup client are also audited.



Figure 5: Protection Status webUI Dashboard widget

Within NetBackup, there is now Protection Status (see Figure 5) for a NetBackup client.   When malware scan reports infected files, NetBackup offers an automated method to intercept and pause certain data protection activities for specific clients - these include future backups, duplications, or replications and expiration of backups. This helps prevent the spread of malware within the backup environment.  A NetBackup client’s Protection Status can also be manually paused (see figure 6).


Figure 6: Protection Status options in the NetBackup WebUI



SIEM, SOAR and XDR platforms are popular tools for combating unwanted trends and unsanctioned actions in IT ecosystems.  NetBackup Audit messages can now be custom filtered and consumed by SIEM platforms by scanning the system log of the primary server, and digesting that information to provide reports, insights, and alerts.  Automated response integration within NetBackup can automatically pause clients to stop any spread of undesired data, and SOAR integrations allow further customized actions based on triggers in the various categories of messages.   NetBackup adds more capability to your ransomware response plans with insight and control with audit messaging.




Christopher Winter
Veritas NetBackup