Skip to content

Cohesity DataProtect

Cohesity DataProtect

About

Cohesity DataProtect is a high-performance, software-defined backup and recovery solution designed for the cloud era. Designed for hyperscale, it offers the most comprehensive policy-based protection for both traditional and modern data sources. DataProtect converges multiple-point products into a single software that can be deployed as on-premises or consumed as a service.

Product Details

Vendor URL: Cohesity DataProtect

Product Type: Backup

Product Tier: Tier III

Integration Method: Syslog

Integration URL: Cohesity DataProtect

Log Guide: N/A

Parser Details

Log Format: Syslog

Expected Normalization Rate: 80-90%

Data Label: COHESITY

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
action,desc security_result.description
additional.COMMAND,command,process target.process.command_line
additional.dest_process_id,pid,_ResourceId,instance_id,json_data.resource.labels.instance_id target.process.pid
additional.dest.dvchost,dvc,Hostname,relayHostname intermediary.hostname
additional.duser,target.user.userid,username target.user.userid
additional.file_name,additional.TTY target.process.file.full_path
additional.PWD,process,ProcessName principal.process.file.full_path
command principal.process.command_line
dstPort,targetPort target.port
dvc,Hostname,relayIp intermediary.ip
dvc,targetHostname target.hostname
dvc,targetIp target.ip
filepath,pwd target.file.full_path
json_data.labels.compute.googleapis.com/resource_name target.resource.name
json_data.resource.labels.project_id target.asset.attribute.cloud.project.id
json_data.resource.labels.zone target.asset.attribute.cloud.availability_zone
metadata.description,action,SyslogMessage metadata.description
metadata.product_name,eventType,ProcessName,op metadata.product_event_type
outcome,hasing_algo,proto,reason security_result.summary
principal.hostname,dvc,srcHostName,Computer,source principal.hostname
principal.ip,dvc,srcIp,HostIP principal.ip
principal.port,srcPort principal.port
principal.user.userid,userId,username principal.user.userid
process target.application
process target.application
processId principal.process.pid
protocol network.ip_protocol
received_bytes network.received_bytes
security_result.action security_result.action
security_result.severity,log_level,SeverityLevel security_result.severity
sent_bytes network.sent_bytes
sessionId network.session_id
targetEmail network.email.to

Product Event Types

Event UDM Event Classification
all other events GENERIC_EVENT
CRYPTO_SESSION,sftp-server,Connection NETWORK_CONNECTION
LOGIN,USER_AUTH,USER_LOGIN,Authentication failed,Started,Starting,opened USER_LOGIN
SERVICE_START RESOURCE_CREATION,SERVICE_START
SERVICE_STOP RESOURCE_DELETION,SERVICE_STOP
smtpd NETWORK_CONNECTION,NETWORK_SMTP
systemd-logind USER_UNCATEGORIZED
USER_ACCT,Starting Session USER_UNCATEGORIZED
USER_LOGOUT,session closed USER_LOGOUT

Log Sample

<14>Sep 29 00:10:23 node dataprotection_events: {"EventMessage" : "Finishing backup task", "Timestamp" : "2021-09-29T07:10:23.288Z", "ClusterInfo" : {"ClusterId" : "clusterid", "ClusterName" : "clustername"}, "EventType" : "kBackup", "EnvironmentType" : "kView", "RegisteredSource" : {"EntityType" : "kView", "EntityId" : "entityid", "EntityName" : "DefaultStorageDomain"}, "BackupJobName" : "SQL_Backups", "BackupJobId" : "19", "Entities" : [{"EntityType" : "kView", "EntityId" : "entityid", "EntityName" : "sql_backups"}], "TaskId" : "163642", "AttributeMap" : {}}

Sample Parsing

metadata.event_timestamp = "2021-09-29T00:10:23Z"
metadata.event_type = "GENERIC_EVENT"
metadata.product_name = "Unix OS"
metadata.product_event_type = "dataprotection_events"
metadata.ingested_timestamp = "2021-09-29T07:11:22.975382Z"
principal.platform = "LINUX"
intermediary.hostname = "node"

Parser Alerting

This product currently does not have any Parser-based Alerting