Console
    Start free

    Collect Cohesity DataProtect (formerly Veritas NetBackup) logs

    Supported in:

    This document explains how to ingest Cohesity DataProtect (formerly Veritas NetBackup) logs to Google Security Operations using Bindplane.

    Cohesity DataProtect (formerly Veritas NetBackup, acquired by Cohesity in December 2024) is an enterprise-grade data protection and backup solution designed to safeguard data across physical, virtual, and cloud environments. It provides centralized management for backup, recovery, and disaster recovery operations, supporting a wide range of platforms, applications, and storage targets to ensure data resilience at scale.

    Before you begin

    Make sure you have the following prerequisites:

    • Google SecOps instance.
    • Windows Server 2016 or later, or Linux host with systemd.
    • Network connectivity between Bindplane agent and Cohesity DataProtect (formerly Veritas NetBackup).
    • If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements.
    • Privileged access to the NetBackup Administration Console or NetBackup Appliance Shell.
    • NetBackup version 7.7 or later (for syslog forwarding support).

    Get Google SecOps ingestion authentication file

    1. Sign in to the Google SecOps console.

    2. Go to SIEM Settings > Collection Agent.

    3. Click Downloadto download the Ingestion Authentication File.

    4. Save the file securely on the system where Bindplane agent will be installed.

    Get Google SecOps customer ID

    1. Sign in to the Google SecOps console.

    2. Go to SIEM Settings > Profile.

    3. Copy and save the Customer IDfrom the Organization Detailssection.

    Install the Bindplane agent

    Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

    Windows installation

    1. Open Command Promptor PowerShellas an administrator.

    2. Run the following command:

        msiexec 
  
 / 
 i 
  
 "[https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi](https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi)" 
  
 / 
 quiet

    3. Wait for the installation to complete.

    4. Verify the installation by running:

       sc query observiq-otel-collector

    The service should show as RUNNING.

    Linux installation

    1. Open a terminal with root or sudo privileges.

    2. Run the following command:

       sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
 [ 
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ]( 
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 )" 
  
install_unix.sh

    3. Wait for the installation to complete.

    4. Verify the installation by running:

       sudo  
systemctl  
status  
observiq-otel-collector

    The service should show as active (running).

    Additional installation resources

    For additional installation options and troubleshooting, see Bindplane agent installation guide .

    Configure the Bindplane agent to ingest syslog and send to Google SecOps

    Locate the configuration file

    • Linux:

       sudo  
nano  
/etc/bindplane-agent/config.yaml

    • Windows:

       notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

    Edit the configuration file

    • Replace the entire contents of config.yaml with the following configuration:

        receivers 
 : 
  
 udplog 
 : 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
 exporters 
 : 
  
 chronicle/netbackup 
 : 
  
 compression 
 : 
  
 gzip 
  
 creds_file_path 
 : 
  
 '/etc/bindplane-agent/ingestion-auth.json' 
  
 customer_id 
 : 
  
 'your-customer-id-here' 
  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 log_type 
 : 
  
 VERITAS_NETBACKUP 
  
 raw_log_field 
 : 
  
 body 
  
 ingestion_labels 
 : 
  
 env 
 : 
  
 production 
  
 source 
 : 
  
 netbackup 
 service 
 : 
  
 pipelines 
 : 
  
 logs/netbackup_to_chronicle 
 : 
  
 receivers 
 : 
  
 - 
  
 udplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/netbackup

    Configuration parameters

    Replace the following placeholders:

    • Receiver configuration:

      • listen_address : IP address and port to listen on. Use 0.0.0.0:514 to listen on all interfaces on port 514. If port 514 requires root privileges on Linux, use 0.0.0.0:1514 and configure NetBackup to send to port 1514.

    • Exporter configuration:

      • creds_file_path : Full path to ingestion authentication file:
        • Linux: /etc/bindplane-agent/ingestion-auth.json
        • Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
      • customer_id : Customer ID from the previous step (for example, a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6 )
      • endpoint : Regional endpoint URL:
        • US: malachiteingestion-pa.googleapis.com
        • Europe: europe-malachiteingestion-pa.googleapis.com
        • Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
        • See Regional Endpoints for complete list
      • log_type : Must be exactly VERITAS_NETBACKUP
      • ingestion_labels : Optional labels for filtering and organization

    Save the configuration file

    After editing, save the file:

    • Linux: Press Ctrl+O , then Enter , then Ctrl+X
    • Windows: Click File > Save

    Restart the Bindplane agent to apply the changes

    To restart the Bindplane agent in Linux:

    1. Run the following command:

       sudo  
systemctl  
restart  
observiq-otel-collector

    2. Verify the service is running:

       sudo  
systemctl  
status  
observiq-otel-collector

    3. Check logs for errors:

       sudo  
journalctl  
-u  
observiq-otel-collector  
-f

    To restart the Bindplane agent in Windows:

    1. Choose one of the following options:

      • Command Prompt or PowerShell as administrator:
       net stop observiq-otel-collector && net start observiq-otel-collector
      • Services console:
        1. Press Win+R , type services.msc , and press Enter.
        2. Locate observIQ OpenTelemetry Collector.
        3. Right-click and select Restart.

    2. Verify the service is running:

       sc query observiq-otel-collector

    3. Check logs for errors:

        type 
  
 "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

    Configure Cohesity DataProtect (formerly Veritas NetBackup) syslog forwarding

    NetBackup supports two methods for configuring syslog forwarding: through the bp.conf configuration file on the NetBackup primary server, or through the NetBackup Appliance Shell for appliance-based deployments.

    Option A: Configure syslog via bp.conf (NetBackup primary server)

    1. Sign in to the NetBackup primary serveras an administrator.

    2. Open the bp.conf configuration file:

      • Linux:
       sudo  
vi  
/usr/openv/netbackup/bp.conf
      • Windows:
       C:\Program Files\Veritas\NetBackup\bp.conf

    3. Add the following entries to the bp.conf file:

       SYSLOG_SERVER = <BINDPLANE_AGENT_IP>
SYSLOG_PORT = 514
      • Replace <BINDPLANE_AGENT_IP> with the IP address of the Bindplane agent host (for example, 192.168.1.100 ).

    4. Save and close the file.

    5. Restart the NetBackup services to apply the changes:

      • Linux:
       sudo  
/usr/openv/netbackup/bin/bp.kill_all
sudo  
/usr/openv/netbackup/bin/bp.start_all
      • Windows:
       "C:\Program Files\Veritas\NetBackup\bin\bpdown.exe" -f
"C:\Program Files\Veritas\NetBackup\bin\bpup.exe" -f

    Option B: Configure syslog via NetBackup Appliance Shell

    1. Sign in to the NetBackup Appliance Shellvia SSH or the web-based console.

    2. Navigate to Settings > Syslog.

    3. Run the following command to configure syslog forwarding:

       Settings > Syslog > Set <BINDPLANE_AGENT_IP> 514 UDP
      • Replace <BINDPLANE_AGENT_IP> with the IP address of the Bindplane agent host (for example, 192.168.1.100 ).

    4. Confirm the configuration by running:

       Settings > Syslog > Show

    5. Verify that the syslog server IP, port, and protocol are correctly displayed.

    Verify syslog forwarding

    After configuring syslog forwarding, verify that logs are being sent by checking the Bindplane agent host:

    • Linux:

       sudo  
tcpdump  
-i  
any  
port  
 514 
  
-A

    • Windows:

    Use Wireshark or Microsoft Message Analyzer to capture traffic on port 514.

    Notes on NetBackup syslog behavior

    • NetBackup sends operational event logs, job status notifications, and system alerts via syslog. The log messages include backup job status, media events, device errors, and administrative actions.

    • Syslog messages are sent via UDP by default. NetBackup does not natively support TCP syslog forwarding through the bp.conf method.

    • The Google SecOps VERITAS_NETBACKUP parser handles both key-value pair and JSON-formatted syslog messages from NetBackup.

    • Ensure the NetBackup primary server system time is synchronized with NTP and configured to UTC for accurate log timestamps.

    UDM mapping table

    Log Field UDM Mapping Logic
    data
    		additional.fields[0].value.string_value The date and time from the raw log message, extracted using grok and formatted as "MM/DD/YY HH:MM:SS".
    data
    		metadata.description The description part of the message extracted using grok. Example: "(OdbcStatement::ExecDirect:962)::Error".
    data
    		metadata.product_event_type The product event type extracted using grok. Example: "Error::83".
    data
    		principal.asset.hostname The hostname extracted from the syslog message using grok.
    data
    		principal.file.full_path The pem file path extracted from the JSON data in the log.
    data
    		principal.hostname The hostname extracted from the syslog message using grok.
    data
    		security_result.detection_fields[0].key The key "SqlState" is added if the SqlState field is present in the raw log after the grok parsing.
    data
    		security_result.detection_fields[0].value The value of SqlState extracted from the raw log message using grok and kv.
    data
    		security_result.detection_fields[1].key The key "NativeError" is added if the NativeError field is present in the raw log after the grok parsing.
    data
    		security_result.detection_fields[1].value The value of NativeError extracted from the raw log message using grok and kv.
    data
    		security_result.detection_fields[2].key The key "sev" is added if the sev field is present in the raw log after the grok parsing.
    data
    		security_result.detection_fields[2].value The value of sev extracted from the JSON data in the log.
    data
    		security_result.severity Set to "LOW" if the sev field (extracted from JSON) is "normal".
    data
    		security_result.summary The error message or summary extracted from the raw log message using grok.
    data
    		additional.fields[1].value.string_value The value of thread extracted from the JSON data in the log.
    data
    		additional.fields[2].value.string_value The value of m extracted from the JSON data in the log.
    data
    		additional.fields[3].value.string_value The value of fn extracted from the JSON data in the log.
    collection_time
    		metadata.event_timestamp The timestamp from the collection_time field in the raw log. Set to "STATUS_UPDATE" if a principal hostname is present, otherwise "GENERIC_EVENT".
    collection_time
    		timestamp The timestamp from the collection_time field in the raw log.

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: