Help Required - Proxmox PVE/PBS Log Shipping (SIEM Integration)

V

void307

New Member
Proxmox Subscriber
Mar 11, 2024
11
1
3
Christchurch
exodesk.co.nz
We are reviewing Proxmox VE (PVE) and PBS from an audit and security monitoring perspective, specifically around logging and alerting for administrative changes (users, roles, ACLs, permissions).

Our requirement is to detect and alert when a user/role/permission/ACL is added, modified, or removed.

What we’ve tested:

Syslog / rsyslog forwarding

Linux auditd

Graylog ingestion with partial forwarding to Wazuh

Wazuh agents running on all PVE nodes

What we see consistently:

SSH authentication events

PAM authentication events

PVE GUI login success/failure

What we do not see:

User creation/deletion

Role or permission changes

ACL modifications

Policy-level changes

These events also do not appear in the PVE UI (Tasks, System Log, or Cluster Log) from what we can see.

Tested versions:
8.4.11
9.1

At this point we are trying to determine whether:

We are missing a supported/native audit mechanism for these events, or

Proxmox does not currently emit auditable events for administrative changes

Before resorting to filesystem-level auditing of /etc/pve, we’d like to confirm if this are actually available already and we're not missing anything.

Are we missing something?
 
Last edited:
void307 said:
We are reviewing Proxmox VE (PVE) and PBS from an audit and security monitoring perspective, specifically around logging and alerting for administrative changes (users, roles, ACLs, permissions).

Our requirement is to detect and alert when a user/role/permission/ACL is added, modified, or removed.

What we’ve tested:

Syslog / rsyslog forwarding

Linux auditd

Graylog ingestion with partial forwarding to Wazuh

Wazuh agents running on all PVE nodes

What we see consistently:

SSH authentication events

PAM authentication events

PVE GUI login success/failure

What we do not see:

User creation/deletion

Role or permission changes

ACL modifications

Policy-level changes

These events also do not appear in the PVE UI (Tasks, System Log, or Cluster Log) from what we can see.

Tested versions:
8.4.11
9.1

At this point we are trying to determine whether:

We are missing a supported/native audit mechanism for these events, or

Proxmox does not currently emit auditable events for administrative changes

Before resorting to filesystem-level auditing of /etc/pve, we’d like to confirm if this are actually available already and we're not missing anything.

Are we missing something?
Click to expand...
Hi Void,

in our case we used rsyslog to forward events to our SIEM. Its not the best solutions but it worked for us.
pvedaemon → is a core service in Proxmox which handles essential operations such as virtual machine management, API calls, user management and task scheduling.

pveproxy → Mainly the Proxmox Web GUI and API Gateway.

pve-ha-lrm → Manage\monitors local HA resources and takes care of failover.

pvestatd → This daemon queries the status of VMs, storages and containers at regular intervals. The result is sent to all nodes in the cluster.

pvefw-logger → Captures and logs events related to the Proxmox firewall

pvescheduler → This daemon is responsible for starting jobs according to the schedule, such as replication and vzdump jobs.
 
You must log in or register to reply here.
Top Bottom
Back