Description
The Veritas Data Protection Add-On effectively integrates Splunk with Veritas applications. Using Veritas Data Protection Add-On, you can forward product usage behavior details of Veritas product like NetBackup to SIEM vendor Splunk. Using this add-on, you can retrieve audit logs that are specific to NetBackup and Alta View on a request from Splunk, using certain configurations in Splunk. This article will helps to download and install the addon and how to configure required things.
- Download & Install:
- You can find the Veritas Data Protection Add-On in Splunkbase (the Splunk app store).
- Users can directly install on the server from splunkbase or download it and after downloading, install it through Splunk's web console by going to: Apps -> Manage Apps -> Install App from downloaded .tar.gz file.
- Configuring Veritas applications:
- This add-on helps you collect important data like audit logs and event notifications from NetBackup (version 10.2 and up) and Alta View (version 1.0 and up).
- If you're using NetBackup version 10.4 or Alta View 2.3 or newer, it also pulls Open Cybersecurity Schema Framework (OCSF) formatted audit messages.
- Setting Up API Permissions:
- To make the add-on work, you need a user with the right RBAC (Role-Based Access Control) permissions to create an API key.
- For specific APIs, the following permissions are needed:
- NetBackup APIs:
- /security/auditlogs: For namespace |SECURITY|AUDIT-LOGS| (equivalent on the NetBackup UI: Security > RBAC > Global permissions > Security > Security events), Needed permission is |OPERATIONS|VIEW| (equivalent on the NetBackup UI: View).
- /eventlog/notifications: For namespace |MANAGE|EVENTLOGS|NOTIFICATIONS| (equivalent on the NetBackup UI: Security > RBAC > Global permissions > NetBackup management > Event log notifications), Needed permission is |OPERATIONS|VIEW| (equivalent on the NetBackup UI: View).
- Alta View API:
- /eventlog/audit/events: For namespace|SYSTEM|AUDIT_DETAILS| needed permission is |OPERATIONS|VIEW|
- NetBackup APIs:
- How data is collected:
- Once you configure the input, the add-on will start collecting data from that point forward. It won't collect past data.
- The system keeps track of the last record it fetched to ensure it continues from where it left off.
- If any issues arise, the add-on will log failure details in Splunk, and you can disable data collection until the issue is fixed.
- Upgrade considerations:
- Your API key remains valid through upgrades, but it can also be extended if needed.
- If you reinstall the NetBackup Primary server with the same host name, the audit log collection will start fresh, meaning it will collect records from ID 1 again. To avoid this, perform a Full Catalog Recovery on the primary server to continue collecting events from the last saved ID.
- If you haven’t backed up the catalog, uninstall and reinstall the Veritas add-on.
- Additional Resources:
- For detailed configuration steps and guidance, refer to the white paper: Veritas Data Protection Add-On.
- For Full Catalog Recovery steps, refer to the NetBackup Administration Guide.
For any additional help regarding Veritas Data Protection addon or if you encounter an issue, you can search for the knowledge base on the Veritas Support website or contact Veritas Technical Support for assistance.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.