Protect Veeam AUdit Logs with NetApp ONTAP Snaplock WORM Technology


Userlevel 6
Badge +3

Protecting your Veeam Data Platform Audit Logs is another way keep your security sensitive logs safe. Using NetApp ONTAP SnapLock Write One Read Many (WORM) technology can protect you from bad actors attempting to delete your audit logs. Please make sure the NetApp ONTAP controller has a SnapLock license. The first thing you have to do is create a NetApp FlexVol (volume). I logged into NetApp ONTAP System Manager and from the main menu navigated to “Storage=>Volumes=>+Add” to get to the volume screen below (Figure 1). I filled in the fields and clicked on “More Options”(Figure 2) to display more volume options. If you enable the SnapLock option for the first time, you will be instructed to “Initialize the SnapLock compliance clock” which is required (Figure 3). Click on  “Enable SnapLock” select type “Compliance” and whatever retention period is needed for your companies compliance standards for audit logs. **** Caution if you select 14 years you will not be able to delete contents for 14 years. Please test on an NetApp ONTAP Simulator if you needed hands on practice 😁 *** This type of SnapLock is strict versus selecting type “Enterprise” this allows for a trusted administrator to modify contents on this volume (Figure 4). Remember to click “Save” when you are done with your volume options. Since I clicked on “Shared via SMB/CIFS” (Figure 2) you should have an SMB share that we will add to change the storage location of the Veeam Data Platform “Audit logs location” (Figure 5) below. I created a NAS backup job then I performed a “File and Foldersrestore from the NAS backup file. This will create some audit logs files in the shared location identified in (Figure 2). I attempted to delete the existing audit log files from share (Figure 6) and it failed. I also attempted a “Files and Folderrestore and it also failed (Figure 7). Since Lenovo ThinkSystem Storage is also powered by ONTAP you can perform this on ThinkSystem Storage Manager for DM Series. For more information on NetApp ONTAP Snaplock, Veeam Audit Logs, NetApp ONTAP System Manager and Lenovo ThinkServer Storage Manager see documentation links below 😀.

Figure 1

Figure 2

Figure 3

Figure 4

Figure 5

Figure 6

Figure 7

Veeam Documentation - Audit Logs Location

https://helpcenter.veeam.com/docs/backup/vsphere/audit_logs_location.html?ver=120

What SnapLock is

https://docs.netapp.com/us-en/ontap/snaplock/

Administration overview with System Manager

https://docs.netapp.com/us-en/ontap/concept_administration_overview.html

Understanding ThinkSystem Storage Manager for DM Series

https://thinksystem.lenovofiles.com/storage/help/index.jsp?topic=%2Fsystem_administration_guide%2F3B6E7BDA-9F1B-4F8C-8FC2-8B28A2C3FCD7_.html


10 comments

Userlevel 5
Badge +3

Hi @Pybarra nice idea!

What fits perfectly with this is that all customers with a valid maintenance contract and the former Premium License Bundle, which should be most Netapp customers, receive a free update to Ontap One. This includes the SnapLock license. 

 

Matze

Userlevel 6
Badge +3

Hi @Pybarra nice idea!

What fits perfectly with this is that all customers with a valid maintenance contract and the former Premium License Bundle, which should be most Netapp customers, receive a free update to Ontap One. This includes the SnapLock license. 

 

Matze

Thanks @MatzeB yes it is covered in this NetApp blog - https://www.netapp.com/blog/ontap-one/😀.

Userlevel 6
Badge +3

Note: Please read warnings in Veeam Audit Logs documentation below and do not select compress option checkbox on WORM volumes “Figure 5”😀.  

IMPORTANT

Storing audit logs on WORM tapes is not supported. Storing audit logs on WORM storages is supported without log compression. This type of storage prevents the data from being deleted or modified. Thus, raw audit logs cannot be deleted after creating compressed files.

Userlevel 7
Badge +20

This a very interesting concept.  Thanks for sharing.

Userlevel 6
Badge +3

Your very welcome, @Chris.Childerhose 😀

Userlevel 7
Badge +15

Hmm...I need to check if a newer NOS version of Nimble supports similar technology… 🤔

Thank you for sharing!

Userlevel 6
Badge +3

Your very welcome @coolsport00 it is worth looking into😀

Userlevel 6
Badge +3

I added an additional Note: When Veeam sets the read only attribute on the audit log file it triggers NetApp SnapLock  process see Figure 8 below.

 

Userlevel 7
Badge +7

Hi @Pybarra  thx for Sharing. 😍 It is similar to the technology of Infinidat snaprotator. 

Hardened repository immutability backup copy + Infinidat Snaprotator Locked Volume | Veeam Community Resource Hub

Userlevel 6
Badge +3

Thanks, @Link State that is good to know. I will take a look at it😀.

Comment