Skip to content

IBM Spectrum Protect

Product Name

About

IBM Spectrum Protect™ provides comprehensive data resilience for physical file servers, virtual environments, and a wide range of applications. Organizations can scale up to manage billions of objects per backup server. Clients can reduce backup infrastructure costs with built-in data efficiency capabilities and the ability to migrate or copy data to tape, public cloud services, and on-premises object storage. IBM Spectrum Protect can also store IBM Spectrum Protect Plus data, allowing companies to take advantage of their existing investment for long-term data retention and disaster recovery.

Product Details

Vendor URL: IBM Spectrum Protect

Product Type: Backup

Product Tier: Tier III

Integration Method: Syslog

Integration URL: N/A

Log Guides:

Messages, return codes, and error codes

ANR messages list

IBM Spectrum Protect server and client messages format

Parser Details

Log Format: Custom

Expected Normalization Rate: near 100%

Data Label: IBM_SPECTRUM_PROTECT

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
“STATUS_UPDATE” metadata.event_type
“GENERIC_EVENT”
“IBM Spectrum Protect” metadata.product_name
“IBM” metadata.vendor_name
cipher_specification network.tls.cipher
protocol network.tls.version
observer.hostname
principal.hostname
principal.ip
client-platform principal.platform
principal.port
administrator principal.user.userid
security_result.rule_id
certificate-info security_result.about.labels.key = “Certificate”
node-name security_result.about.labels.key = “NodeName”
session-number security_result.about.labels.key = “SessionNumber”

Product Event Types

Product Event Description UDM Event
ANR0330W Session session-number for node node-name (client-platform) refused - invalid authentication protocol requested. GENERIC_EVENT
ANR0403I Session session-number ended for node node-name (client-platform). GENERIC_EVENT
ANR0405I Session session-number ended for administrator administrator (DSMAPI). GENERIC_EVENT
ANR0406I Session session-number started for node node-name(TDPO client-platform) (SSL hostname [ip-address]:port). GENERIC_EVENT
ANR0418W Session session-number for administrator administrator name (client-platform) is refused because an incorrect password was submitted. GENERIC_EVENT
ANR0420W Session session-number for node node-name (client-platform) refused - server disabled for user access. GENERIC_EVENT
ANR0421W Session session-number for node node-name (client-platform) refused - sign-on protocol violation. This error can also result when the server is contacted by an application that is not a part of this product. GENERIC_EVENT
ANR0422W Session session-number for node node-name (client-platform) refused - node name not registered. STATUS_UPDATE
ANR0423W Session session-number for administrator administrator ID (client-platform) refused - administrator name not registered. STATUS_UPDATE
ANR0424W Session session-number for node node-name (client-platform) refused - invalid password submitted. GENERIC_EVENT
ANR0425W Session session-number for node node-name (client-platform) refused - node password has expired. GENERIC_EVENT
ANR0426W Session session-number for node node-name (client-platform) refused - open registration not permitted. ( GENERIC_EVENT
ANR0474W Session session-number for administrator administrator ID (administrator-platform) was refused because administrators are not allowed to initiate sessions on the client port. tcpadmin port was specified on another port. GENERIC_EVENT
ANR0475W Session session-number for node node-name (client-platform) refused - node is not allowed to initiate sessions on administrative port. GENERIC_EVENT
ANR0803I DELETE FILESPACE filespace name (backup data) for node node-name started. GENERIC_EVENT
ANR1514I Policy Set Activated GENERIC_EVENT
ANR1629W Remove Replication for a node was issued. GENERIC_EVENT
ANR1633E Node can not be removed or renamed. It is part of a replication pair GENERIC_EVENT
ANR2063I Node has been updated. GENERIC_EVENT
ANR2064I Node name is unlocked GENERIC_EVENT
ANR2177I node/admin name has count invalid sign-on attempts. The limit is limit. GENERIC_EVENT
ANR2178E node/admin name has been locked. Invalid sign-on attempt limit (limit) reached. GENERIC_EVENT
ANR2179E Administrator administrator should have been locked, but was not. The indicated administrator reached the limit for consecutive invalid passwords and should have been locked. If it were locked, there would be no means to execute commands requiring system authority. GENERIC_EVENT
ANR2251S The ACCESS setting for storage pool poolname was changed from access to UNAVAILABLE. The pool is enabled for encryption, but the master encryption key for the server is not available. GENERIC_EVENT
ANR2252S The ACCESS setting for storage pool poolname was changed from access to UNAVAILABLE. The pool is enabled for encryption, but the master encryption key for the server was reset. GENERIC_EVENT
ANR3692W Security Anomaly message that drives the operations center security alert. GENERIC_EVENT
ANE4973E An error occurred accessing NTFS security information for file 'filespace namepath-namefile-name' GENERIC_EVENT
ANE4974E Error processing 'filespace namepath-namefile-name': a required NT privilege is not held. GENERIC_EVENT
ANR8592I Session-number connection is using protocol tls-protocol, cipher specification cipher-specification, certificate certificate-info. GENERIC_EVENT

Log Sample

000407 002 00 000000000 002 003 20220107151655 hostname1
AAA0000I Session 27698 started for administrator john.doe (Linux x86-64)
(SSL hostname2.doimain.com[10.10.10.10]:37555).~  

Sample Parsing

metadata.event_timestamp = "2021-09-28T16:14:04Z" 
metadata.event_type = "STATUS_UPDATE"
metadata.vendor_name = "IBM"
metadata.product_name = "IBM Spectrum Protect"
principal.hostname = "hostname2.domain.com"
principal.user.userid = "john.doe"
principal.platform = "LINUX"
principal.ip = "10.10.10.10"
principal.port = 37555
principal.asset.ip = "10.10.10.10"
observer.hostname = "hostname1"
security_result.about.labels.key = "SessionNumber"
security_result.about.labels.value = "5555323"
security_result.rule_id = "AAA0000I"

Parser Alerting

This product currently does not have any Parser-based Alerting