Veritas Netbackup¶
About¶
Veritas NetBackup appliance supports major databases such as Oracle and Microsoft SQL, as well as Microsoft Windows, Unix and Linux operating systems. The NetBackup appliance backs up data to disk, tape and public clouds, and protects popular VMware and Microsoft Hyper-V hypervisors.
Product Details¶
Vendor URL: Veritas Netbackup
Product Type: Security
Product Tier: Tier III
Integration Method: Syslog
Parser Details¶
Log Format: SYSLOG, KV
Expected Normalization Rate: 100%
Data Label: VERITAS_NETBACKUP
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| acct, USER | principal.user.user_display_name |
| application | principal.application |
| body_bytes_sent | network.sent_bytes |
| comm, COMMAND | principal.process.command_line |
| connection | security_result.detection_fields |
| err, summary | security_result.summary |
| exe, PWD, pem_file_path | principal.file.full_path |
| fn | additional.fields |
| grantors | security_result.about.user.userid |
| host | observer.hostname |
| http_method | network.http.method |
| intermediary | intermediary.application |
| label | additional.fields |
| level | security_result.severity_details |
| log_id | metadata.product_log_id |
| m | additional.fields |
| Method | network.http.method |
| mode | security_result.detection_fields |
| name | principal.resource.name |
| NativeError | security_result.detection_fields |
| node | principal.hostname |
| op | metadata.product_event_type |
| pid | principal.process.pid |
| principal_port | principal.port |
| referer | network.http.referral_url |
| remote_user, uid, caller | principal.user.userid |
| RemoteAddr, remote_addr | principal.ip |
| res | security_result.action_details |
| server_protocol | network.application_protocol |
| service_name | target.application |
| ses | network.session_id |
| SqlState | security_result.detection_fields |
| status | network.http.response_code |
| subj | security_result.rule_name |
| target_url | target.url |
| thread | additional.fields |
| type | security_result.description |
| unit | target.resource.name |
| URL, request_uri | target.url |
| user_agent | network.http.user_agent |
| VERITAS NETBACKUP | metadata.vendor_name |
| Veritas Netbackup | metadata.product_name |
| version | network.application_protocol_version |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| flex_worker_gateway_access, flex_svc_gateway_access | NETWORK_HTTP |
| flex-svc-iam | NETWORK_CONNECTION |
| generic | GENERIC_EVENT |
| update | STATUS_UPDATE |
Log Sample¶
<134>1 2024-06-18T13:32:46.634589-04:00 johndoe.example.com audispd 65441 - - node=johndoe type=USER_START msg=audit(1718731966.599:5987299): pid=12345 uid=0 auid=1234567890 ses=1234567890 subj=system_u:system_r:container_init_t:s0:c139 msg='op=PAM:session_open grantors=pam_limits,pam_unix acct="exampleUser" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success' UID="root" AUID="unset"
Sample Parsing¶
metadata.base_labels.log_types = "VERITAS_NETBACKUP"
metadata.description = "USER_START"
metadata.event_type = "STATUS_UPDATE"
metadata.log_type = "VERITAS_NETBACKUP"
metadata.product_event_type = "audispd"
metadata.product_name = "Veritas Netbackup"
metadata.vendor_name = "VERITAS NETBACKUP"
network.session_id = "1234567890"
observer.asset.hostname = "johndoe.example.com"
observer.hostname = "johndoe.example.com"
principal.application = "audispd"
principal.file.full_path = "/usr/bin/sudo"
principal.hostname = "johndoe"
principal.process.pid = "12345"
principal.user.user_display_name = "exampleUser"
principal.user.userid = "0"
security_result.about.user.userid = "pam_limits,pam_unix"
security_result.action_details = "success"
security_result.description = "audit(1718731966.599:5987299)"
security_result.detection_fields.key = "OP"
security_result.detection_fields.value = "PAM:session_open"
security_result.rule_name = "system_u:system_r:container_init_t:s0:c139"