top of page
  • Writer's pictureBrad Linch

Forward Critical Veeam Events to Splunk

Monitoring and analyzing events from various sources is crucial for maintaining a secure and efficient IT environment. Veeam v12.1 offers comprehensive event logging capabilities for specific security related events to help monitor for potential cyber threats. By forwarding Veeam events to Splunk, organizations can take advantage of Splunk's robust log management and analysis features for enhanced visibility and troubleshooting.


Below are a few key benefits of forwarding Veeam events to Splunk or any syslog server.

  1. Centralized Log Management: By consolidating Veeam events into Splunk syslog, organizations can have a centralized repository for all their logs, making it easier to search, analyze, and correlate data from multiple sources.

  2. Real-Time Monitoring: Splunk provides real-time alerting capabilities based on specific events or patterns. By forwarding Veeam events to Splunk, organizations can set up proactive alerts for early detection and remediation.

  3. Advanced Log Analysis: Splunk's powerful search and analysis features enable organizations to gain deep insights into their Veeam events. With the ability to create dashboards, reports, and visualizations, you can easily identify trends, patterns, and potential issues within your backup infrastructure.


How to setup on Splunk:

  • Launch the Splunk web interface and navigate to "Settings -> Data Inputs".

  • Select "UDP" or "TCP" under the "Syslog" category, depending on your preferred protocol.

  • Configure the port number 514. Can use 6514 over TLS if preferred

  • Only accept connections from VBR


How to setup on Veeam:

Simply go to "Options" under global settings (hamburger helper in top left) and "Event Forwarding." Enter in the Splunk server and protocol/port to communicate with.


Create Splunk Alerts for Veeam Critical Events:

By default Veeam forwards all events to the syslog server which can quickly become overwhelming. Luckily, it's easy to create alerts for specific critical events that would matter most to the security team. Below are just a few examples of Veeam events that are important to forward:

  • 42402 - Four-eyes authorization request initiated

  • 42402 - Attempted deleted backup

  • 42220 - Restore point marked as infected

  • 41600 - Malware activity detected

  • 40205 - Invalid MFA code

  • 150 - Time shift detected on repository


These alerts can easily be setup in Splunk by searching for the above instance IDs and then creating alerts for them.


Below are several alerts I created in Splunk to help filter out the noise for specific events security teams should be aware of. This functionality would work on any Syslog server.


By forwarding Veeam events to Splunk, organizations can achieve centralized log management, real-time monitoring, and advanced log analysis capabilities. Splunk's powerful search and analysis features can help identify potential issues, track trends, and optimize backup infrastructure performance. With this integration in place, IT teams can proactively address concerns, ensure data protection, and minimize the impact of backup-related incidents on overall business operations.


280 views

Recent Posts

See All

Why Veeam

Comments


bottom of page