cancel
Showing results for 
Search instead for 
Did you mean: 

copying audit logs off appliance

spitman1
Level 3

I'm running a 5240 master/media appliance with 3.2. We use vrealize log insight. I was reading that Splunk and an HP product are the only two log destinations that the appliance will auto-send logs to; is that correct? What is the best way to get security audit logs into vrealize? And if the answer is to download them from the web interface--would you be able to point me to the directions, either in the manuals or on a page, to do this? Thanks in advance.

5 REPLIES 5

jnardello
Moderator
Moderator
   VIP    Certified
"NetBackup appliances use the Rsyslog client to forward logs. In addition to HP ArcSight and Splunk, other log management servers that support the Rsyslog client can also be used to receive syslogs from the appliance. Refer to the log management server documentation to verify Rsyslog client support." ... "NetBackup appliance currently supports only TLS Anonymous Authentication for log forwarding" So, does your log manager support the rsyslog client & TLS Anonymous Authentication ? That aside, have you tried it ? Unsupported does not always mean it won't work after all, it just means they didn't test it out and/or are willing to put support hours into it. See also legacy NBU versions still continuing to work years after EOL. =) Being a custom RHEL server basically, at the OS level you may have alternatives you can use to set up log forwarding by following whatever the RHEL recommendations are from your existing log server vendor.

May I ask which manual you found that quote from? I haven't come across it yet, and I'd like to read its surrounding info. Thanks!

Have you also reviewed what is available via API calls? The documentation is available at
https://<master-server>/api-docs/index.html (in particular look at the security section which contains access to the audit logs - at least is 8.3 it does).

Not sure if it will help, nor whether the events available are what you are after, but may be another 

Aslo contrary to what @jnardello was suggesting, you shouldn't be making changes/additions to the underlying OS on the appliance - it will take your appliance out of support - especially installing additional unsupported software. Yes it can be done, but it shoudn't.

jnardello
Moderator
Moderator
   VIP    Certified
I was thinking along the lines of setting up syslog forwarding or a cron job to scp a log file off the appliance to a different server, nothing as impactful as installing new software. =)