Cohesity DataProtect¶
About¶
Cohesity DataProtect is a high-performance, software-defined backup and recovery solution designed for the cloud era. Designed for hyperscale, it offers the most comprehensive policy-based protection for both traditional and modern data sources. DataProtect converges multiple-point products into a single software that can be deployed as on-premises or consumed as a service.
Product Details¶
Vendor URL: Cohesity DataProtect
Product Type: Backup
Product Tier: Tier III
Integration Method: Syslog
Integration URL: Cohesity DataProtect
Log Guide: N/A
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 80-90%
Data Label: COHESITY
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
action,desc | security_result.description |
additional.COMMAND,command,process | target.process.command_line |
additional.dest_process_id,pid,_ResourceId,instance_id,json_data.resource.labels.instance_id | target.process.pid |
additional.dest.dvchost,dvc,Hostname,relayHostname | intermediary.hostname |
additional.duser,target.user.userid,username | target.user.userid |
additional.file_name,additional.TTY | target.process.file.full_path |
additional.PWD,process,ProcessName | principal.process.file.full_path |
command | principal.process.command_line |
dstPort,targetPort | target.port |
dvc,Hostname,relayIp | intermediary.ip |
dvc,targetHostname | target.hostname |
dvc,targetIp | target.ip |
filepath,pwd | target.file.full_path |
json_data.labels.compute.googleapis.com/resource_name | target.resource.name |
json_data.resource.labels.project_id | target.asset.attribute.cloud.project.id |
json_data.resource.labels.zone | target.asset.attribute.cloud.availability_zone |
metadata.description,action,SyslogMessage | metadata.description |
metadata.product_name,eventType,ProcessName,op | metadata.product_event_type |
outcome,hasing_algo,proto,reason | security_result.summary |
principal.hostname,dvc,srcHostName,Computer,source | principal.hostname |
principal.ip,dvc,srcIp,HostIP | principal.ip |
principal.port,srcPort | principal.port |
principal.user.userid,userId,username | principal.user.userid |
process | target.application |
process | target.application |
processId | principal.process.pid |
protocol | network.ip_protocol |
received_bytes | network.received_bytes |
security_result.action | security_result.action |
security_result.severity,log_level,SeverityLevel | security_result.severity |
sent_bytes | network.sent_bytes |
sessionId | network.session_id |
targetEmail | network.email.to |
Product Event Types¶
Event | UDM Event Classification |
---|---|
all other events | GENERIC_EVENT |
CRYPTO_SESSION,sftp-server,Connection | NETWORK_CONNECTION |
LOGIN,USER_AUTH,USER_LOGIN,Authentication failed,Started,Starting,opened | USER_LOGIN |
SERVICE_START | RESOURCE_CREATION,SERVICE_START |
SERVICE_STOP | RESOURCE_DELETION,SERVICE_STOP |
smtpd | NETWORK_CONNECTION,NETWORK_SMTP |
systemd-logind | USER_UNCATEGORIZED |
USER_ACCT,Starting Session | USER_UNCATEGORIZED |
USER_LOGOUT,session closed | USER_LOGOUT |
Log Sample¶
<14>Sep 29 00:10:23 node dataprotection_events: {"EventMessage" : "Finishing backup task", "Timestamp" : "2021-09-29T07:10:23.288Z", "ClusterInfo" : {"ClusterId" : "clusterid", "ClusterName" : "clustername"}, "EventType" : "kBackup", "EnvironmentType" : "kView", "RegisteredSource" : {"EntityType" : "kView", "EntityId" : "entityid", "EntityName" : "DefaultStorageDomain"}, "BackupJobName" : "SQL_Backups", "BackupJobId" : "19", "Entities" : [{"EntityType" : "kView", "EntityId" : "entityid", "EntityName" : "sql_backups"}], "TaskId" : "163642", "AttributeMap" : {}}
Sample Parsing¶
metadata.event_timestamp = "2021-09-29T00:10:23Z"
metadata.event_type = "GENERIC_EVENT"
metadata.product_name = "Unix OS"
metadata.product_event_type = "dataprotection_events"
metadata.ingested_timestamp = "2021-09-29T07:11:22.975382Z"
principal.platform = "LINUX"
intermediary.hostname = "node"
Parser Alerting¶
This product currently does not have any Parser-based Alerting