Plug-In Lets NetBackup and ALTA Events be Used by 3rd Party Security Platforms Starting with Splunk
NetBackup 10.5 has a feature that enables third party SIEM security platforms to retrieve Veritas NetBackup and audit logs. The audit logs can be visualized/added to reporting with a choice of the latest Open Cybersecurity Schema Framework (OCSF) schema, or the native NetBackup log format. NBU records the last audit event successfully transmitted so that future message transmissions pick up where the previous transmissions left off. Splunk is our first key partner to access this feature. Their NetBackup plugin is published in Splunk marketplace (Splunkbase). Audit logs can be retrieved from multiple hosts across the enterprise and centralized within a single Splunk index. Installation It’s really easy to take advantage of this feature. So easy, there’s no reason not to use it. As proof, here’re the general steps for adding and configuring the Splunk plugin: Install the “Veritas Dataprotection Add-on” from the Splunkbase into the Splunk enterprise. The Veritas Dataprotection Add-on is then visible in the Splunk enterprise interface: Open the plugin in the enterprise and click on “Create New Input” in the top right of the Splunk window. In this example assume the NetBackup Events option is selected. The Add NetBackup Events window opens. Use an existing NetBackup server API key or easily create a new one on the NetBackup primary server as shown below. Click on “+Add”, and then provide a username and “valid until” date entry. Click “Add” to complete the key. Be sure to copy the API key to your secure records for future reference. Finish providing the existing or specially created API key along with the other required details and select the message format. Message formats have three categories: – Native: messages are in the NetBackup native audit format – OCSF: messages are in the NetBackup native audit format, but in OCSF format – Notifications: messages are standard NetBackup notifications In the Add NetBackup Events window, click “Add.” Messages are now transferred and events from the hostname will be visible in the index you named in the window. It’s just that easy. Splunk Logging for Veritas Products/Connections Let your Security and Splunk administrators know that Splunk creates and stores logs of its communications with NetBackup products in the following locations. This proves to them the connection is working and reliable for their reporting: Log Location on Splunk Server NetBackup Event logs $SPLUNK_HOME/var/log/splunk Veritas Alta view logs $SPLUNK_HOME/var/log/splunk Splunk customers should upgrade to 10.5 as soon as they can to access this feature. Get better reporting and visibility of NetBackup events working quietly in the background before a critical issue arises and you find out about it too late.
