Veeam Backup & Replication: Audit Admin Task

Auditing is one of the most important thing of every companies because is a way to understand what users do but what happen when is necessary keep under control our admins? In a scenario with one-man-band is very easy but when there are 2 or more IT Admins is very fundamental register every single activities. Backup is one of that software where audit is very important.

 

In Veeam Backup & Replication auditing is possible through Event Viewer: into the folder Veeam Backup we can find all the activities about our backup software. In particular, some of these EventID are:

 

  • 23010 – New Job
  • 23050 – Edit Job
  • 23090 – Delete Job

 

To have a view of our Veeam servers it’s possible use this PowerShell script:

 

$Date = Get-Date 01/02/2016
$VeeamServer = “srv-veeam”

$colItems = Get-EventLog -LogName “Veeam Backup” -Source “Veeam MP” -After $Date -EntryType Information -ComputerName $VeeamServer | Where InstanceId -like ‘230*’ | Select-Object TimeGenerated,InstanceId,Message
foreach ($objItem in $colItems) {
switch ($objItem.InstanceId)
    {
        23010 {Write-Host $objItem.TimeGenerated,  – , $objItem.Message}
        23050 {Write-Host $objItem.TimeGenerated,  – , $objItem.Message -ForegroundColor Yellow}
        23090 {Write-Host $objItem.TimeGenerated,  – , $objItem.Message -ForegroundColor Red}
    }     
}

 

Very faster but if we have System Center Operations Manager, it’s possible create new Rules to collect these EventID. An example is available here: Monitor Custom EventID

 

S