commvault.com commvault.com
Solved

Information extraction from log files for SIEM/SOC

  • 28 February 2022
  • 6 replies
  • 1769 views
Onno van den Berg
Rank
Userlevel 7
Badge +19

Hi,

I'm looking for documentation around the ability to index logging related security events for SIEM/SOC purposes. Commvault software by default generates tons of log files and for me (and I suppose a lot of other customers) it is hard to get specific information from the Commvault logs for different purposes then troubleshooting. Besides that I'm looking for guidance on this, just to make sure the information can be collected in a consistent way so you are safeguarded that a future update will not break this. I'm especially looking for information how to get all information from the logs that gives me insights in things like:

  • ​​​​​Activity via REST API, Command Center, CommCell console, Apps, etc.
  • Activity towards (and through) network gateways.
  • Activity to/from functionality with external components like external REST API's, Key Vaults. 
  • Communication between client computers.
  • Data retrieval e.g. who is retrieving data from the platform via a restore, download functionality in Command Center. etc. 

I'm missing this information in the following BOL sections, and I think it is valuable to have it documented. I would have expected it to be documented here:

https://documentation.commvault.com/11.26/essential/107065_security.html
https://documentation.commvault.com/11.26/expert/7722_security_overview.html

I hope someone can shine some light on this…..

Regards,

Onno

icon

Best answer by DMCVault 1 March 2022, 16:18

View original
If you have a question or comment, please create a topic

6 replies

H
Rank
Userlevel 5
Badge +11

@Onno van den Berg,

 

Have you checked out this documentation in of our BOL;

https://documentation.commvault.com/11.26/expert/5639_log_monitoring.html

https://documentation.commvault.com/11.26/expert/5853_system_monitoring.html

Onno van den Berg
Rank
Userlevel 7
Badge +19

Hi @HolowEd,

This is not what I'm looking for because I'm related to the actual information that is logged in the current log files. In additional most companies using SOC/SIEM will not use Commvault Log Monitoring for that but will us a specific solution for it or leverage solutions like Splunk or Azure Sentinel so their security departments can scan all access logs for specific threats. 

The log monitoring feature I see being very helpful for troubleshooting purposes. 

So to be clear I'm looking for a guide that explains how to retrieve the information around the use cases from the Commvault logs.

Onno

H
Rank
Userlevel 5
Badge +11

@Onno van den Berg 

 

I can check with our products team to see if they have anything that they can supply that can be used as a guide for setting this up.

D
Rank
Userlevel 5
Badge +8

@Onno van den Berg

If Splunk is your SIEM of choice, we have a plugin in the splunkbase that will collect log data.  At that point you can query the log data for whatever you want.

You can also send any triggered Commvault event  to a SIEM via Syslog or Webhook (via event alert).  But in cases where there are specific events in the logs that you want to monitor for; create an Event Raiser Log Monitoring policy.  This is a very cool feature - it allows you to generate your own events and alerts when certain log conditions are detected based on simple search criteria or advanced regular expressions.  Event raiser does not require an index server.  When the condition is detected, it will generate an event and/or alert that you can send off to your event platform using Syslog or webhook.  Additionally this feature is not just limited to Commvault logs - you can also monitor external system logs and generate events in Commvault.  Its a very powerful feature, and provides a ton of flexibility, but its a great way to monitor for log conditions without having to send all the logs to your event system.  At the moment you can only create LM policies in java gui, but we are working on bringing it over to Command Center.

Here are some demo videos:

Here are examples for your criteria:

  • ​​​​​Activity via REST API, Command Center, CommCell console, Apps, etc.

You would want to monitor the webserver.log

  • Activity towards (and through) network gateways.

You can monitor connections in CVD and CVFWD

  • Activity to/from functionality with external components like external REST API's, Key Vaults. 

This really depends on the specifics.  But if you are using a KMIP KMS you can monitor the KMIPClient.log for example.

  • Communication between client computers.

You can monitor connections in CVD and CVFWD

  • Data retrieval e.g. who is retrieving data from the platform via a restore, download functionality in Command Center. etc. 

Actually we audit this in the audit trail by default in 1125+ You can also make an alert for this, and send it via webhook or syslog.

Onno van den Berg
Rank
Userlevel 7
Badge +19

Thanks for the extensive response @DMCVault !!

Splunk plugin
The Splunk plugin looks nice and I see a benefit for a large amount of customers, however I'm not allowed to use it like this because I'm only targeting the backend infrastructure not the client computers of our customers. In additional we have automation in place to distribute the Splunk forwarding agent. Only thing I'm interested are the dashboard. I'll see if I can export them after installing the plugin on our Splunk island.

Syslog
If I recall correctly syslog only gathers and forwards the logs of the CommServe, right? One comment on it as I have been playing with it, there is no delete/remove configuration button on the syslog page. From a UX and consistency point of view it would be nice to add it.

Webhook alerts
This is especially nice to send out alerts to Slack/Teams. Maybe also to have the data ingested for SOC/Siem but it depends on the use-case because it doesn't send lower level information like for example network communication attempts.

Event Raiser
I have been playing around with it for some time a few years ago. I do not see a lot of new development around it anymore but it definitely helps-out during troubleshooting. I would consider even configuring and turning it on by default and have some gxtail magic being added to it and make it embedded in Command Center. Unfortunalty for SOC/SIEM it is less interesting. 

As for the overview on logs files:

Activity via REST API, Command Center, CommCell console, Apps, etc.
You would want to monitor the webserver.log
Thanks! Does it log specific codes which can be used to filter the webserver.log for these kind of events?

Activity towards (and through) network gateways.
You can monitor connections in CVD and CVFWD
Thanks! Does it log specific codes which can be used as a filter?

Activity to/from functionality with external components like external REST API's, Key Vaults. 
This really depends on the specifics.  But if you are using a KMIP KMS you can monitor the KMIPClient.log for example.
Ok!

Communication between client computers.
You can monitor connections in CVD and CVFWD
Thanks! Does it log specific codes which can be used as a filter?

Data retrieval e.g. who is retrieving data from the platform via a restore, download functionality in Command Center. etc. 
Actually we audit this in the audit trail by default in 1125+ You can also make an alert for this, and send it via webhook or syslog.
Can you point me to the correct log file? I have been testing but was not really sure which log file captures these events. 





 

 

D
Rank
Userlevel 5
Badge +8

In my opinion you are looking at a mixed solution.  I would use the Splunk plugin to ingest the raw log data for troubleshooting purposes, but I would also use Syslog or Webhooks - for specific alert/event conditions since the logs wont have the alert notification messages by default.

 

The splunk plugin allows you to select what clients you want to monitor.  So you can pick just the infrastructure machines.

 

Syslog feature exports all events, alerts, and audit trail info to a syslog server, or syslog receiver.  No log data.  You can export directly to splunk - see my demo video that I shared in the previous post.


Webhooks sends any alert to an api endpoint.  Ive spoken to experts from Microsoft as well as Splunk and affirmed that webhooks is one of the preferred ways for pushing events from an application to a SIEM or event system.  Its a more modern approach.  We will be expanding this out within our platform beyond alerts.   Yes you can use this to get events to Teams and Slack, but nearly all SIEM’s I've looked at have some sort of HTTP data input connector.  For example, with Splunk you would use the HEC (HTTP Event Collector) as a data input collector.


Event Raiser gives you the flexibility to monitor logs for certain conditions.  If you use the splunk plugin, you may not need this, since you will ingest all logs into your SIEM anyway.

 

We have a bunch documented event codes here, in many cases you dont need the logs to find these codes, since they will be triggered as Commvault events that you can capture via alert → webhook/syslog:

https://documentation.commvault.com/11.24/expert/130849_system_messages_event_strings_and_error_codes.html

For communication type events look at DataPipe , Communications Service , and  Network Module , event codes. 

Terms & ConditionsCookie settings