Event Monitoring, Logging and Alerting for Your Database Backups

Event Monitoring, Logging and Alerting for Your Database Backups

Andrew Abwoga
14 May 2020

 

Using the data security lifecycle, as stated in my previous blog, can help you gain control and visibility over the security of your database backups. Though, another critical aspect of security that is equally important is event logging, monitoring and alerting. It's no coincidence that most, if not all, cyber/information security and compliance standards and guidelines - such as ISO 27001, PCI-DSS, SANS Top 20 - treat logging and monitoring as a critical control. Having an event logging and monitoring capability puts you one step ahead in being able to fight cyber threats as you are able to readily detect and respond to malicious activity. This article talks about the event logging, monitoring and alerting features that are available in Backup Ninja. 

Logging, Monitoring and Alerting with Backup Ninja

Backup Ninja gives you an array of options that enable you to monitor events, receive alerts and audit backup activities. With it, you have three event facilities that can give you visibility of all your events, these are: the backup ninja web portal, alerts to your email and the bartender agent log file that resides on your database server. Moreover, there are a couple of factors for event correlation that are available to you. These are: event names and descriptions, ip addresses, timestamps for the start of an activity.

Backup Ninja User Activity Log

Events in Backup Ninja are broadly categorized as below:

  1. User events - Provide information about the following user events: 
    1. User registration (EventUserRegister)
    2. User login (EventUserLogin)
    3. User logout (EventUserLogout)
    4. Password change (EventUserChangePassword)
    5. Password restore (EventRestorePasswordStart)
    6. Password restore confirmation (EventUserRestorePasswordConfirm)
    7. Email confirmation for registration (EventUserConfirmEmail)
    8. Create a contact (EventUserCreateContact)
    9. Delete a contact (EventUserDeleteContact)
    10. Delete a user (EventUserDelete)
    11. Resend a verification email (EventUserResendVerificationEmail)
    12. Change a username  (EventUserChangeName)
  2. Agent events - Provide information about the following bartender agent events:
    1. Agent installation (EventAgentInstall)
    2. Agent restart (EventAgentRestart)
    3. Agent upgrades (EventAgentUpgrade)
    4. Agent deletion (EventAgentDelete)
    5. Uninstalling the agent (EventAgentUninstall)
    6. Creation of cloud credentials by the agent (EventAgentCreateCloudCredentials)
    7. Deletion of cloud credentials by the agent (EventAgentDeleteCloudCredentials)
  3. Backup events - Provide information about the following backup related events:
    1. Create backup schedules (EventBackupCreateSchedule)
    2. Pause backup schedules (EventBackupPauseSchedule)
    3. Resume backup schedules (EventBackupResumeSchedule)
    4. Delete backup schedules (EventBackupDeleteSchedule)
    5. Create backups (EventBackupCreate)
    6. Remove a backup file (EventBackupRemoveFile)
    7. Edit a backup schedule (EventBackupEditSchedule)
    8. Get a backup file (EventBackupGetFile)

All these events are relevant at the point that you want to detect malicious activity. At any one time, you should be able to use these events to answer the critical questions of: Who did what? What do they actually do? Where did they do it from? When they did it? Those questions should help you in understanding the tell tale signs of suspicious activity.

Backup Ninja’s User Activity Log

On the backup ninja web portal, you can get access to user activity logs by selecting the activity logs menu item on the left hand side of the web portal, after you have already logged in. The user activity log displays entries, as shown under user events earlier, on a table with the following columns:

  1. Description - A description of the event 
  2. Event - The name of the event 
  3. Created - When the event started
  4. IP - the originating IP Address of the user who triggered the event.

Below is a sample capture of the user activity logs.

Backup Ninja User Activity Logs

Backup Ninja’s Email Alerts

Backup Ninja’s Email Alerts

To receive email alerts, you have to activate them on the Backup Ninja web portal. By navigating to the Personal information menu item, you should be able to see all the alerting options. The section, with the title Manage system alerts, is divided into three sections: 

  1. Backup events 
  2. Schedule events
  3. Agent Events 

Backup event notifications alert you when a backup is created, has failed or is removed. Schedule events notifications alert you when a schedule is created, removed, paused or resumes operation. Lastly, agent events alert you when the bartender agent is installed, deleted, reports an error, gets started or stopped. Below are snippets of the section for enabling notifications/alerts.

Backup Ninja’s Email Alerts

Bartender Agent Log

You can also get a glimpse of the Bartender agent log activity by viewing the bartender log on your database server. By navigating to the /var/log/ directory you can view the logs by tailing the logs as in the image below or viewing old log entries using more or any other linux viewing or editing utility. In this log you should be able to see logs with verbosity such as: debug, info, warn, error, dpanic, panic, and fatal

Backup Ninja Bartender Agent Log

Summary

Backup Ninja gives you visibility of all the relevant events concerning the security of your database backup. In the case that you suspect or you actually succumb to a security incident you can readily detect and respond to suspicious or actual malicious activity.