Monitoring and analyzing events from various sources is crucial for maintaining a secure and efficient IT environment. Veeam v12.1 offers comprehensive event logging capabilities for specific security related events to help monitor for potential cyber threats. By forwarding Veeam events to Splunk, organizations can take advantage of Splunk's robust log management and analysis features for enhanced visibility and troubleshooting.
Below are a few key benefits of forwarding Veeam events to Splunk or any syslog server.
Centralized Log Management: By consolidating Veeam events into Splunk syslog, organizations can have a centralized repository for all their logs, making it easier to search, analyze, and correlate data from multiple sources.
Real-Time Monitoring: Splunk provides real-time alerting capabilities based on specific events or patterns. By forwarding Veeam events to Splunk, organizations can set up proactive alerts for early detection and remediation.
Advanced Log Analysis: Splunk's powerful search and analysis features enable organizations to gain deep insights into their Veeam events. With the ability to create dashboards, reports, and visualizations, you can easily identify trends, patterns, and potential issues within your backup infrastructure.
How to setup on Splunk:
Launch the Splunk web interface and navigate to "Settings -> Data Inputs".
Select "UDP" or "TCP" under the "Syslog" category, depending on your preferred protocol.
Configure the port number 514. Can use 6514 over TLS if preferred
Only accept connections from VBR
How to setup on Veeam:
Simply go to "Options" under global settings (hamburger helper in top left) and "Event Forwarding." Enter in the Splunk server and protocol/port to communicate with.
Create Splunk Alerts for Veeam Critical Events:
By default Veeam forwards all events to the syslog server which can quickly become overwhelming. Luckily, it's easy to create alerts for specific critical events that would matter most to the security team. Below are just a few examples of Veeam events that are important to forward:
42402 - Four-eyes authorization request initiated
42402 - Attempted deleted backup
42220 - Restore point marked as infected
41600 - Malware activity detected
40205 - Invalid MFA code
150 - Time shift detected on repository
These alerts can easily be setup in Splunk by searching for the above instance IDs and then creating alerts for them.
Below are several alerts I created in Splunk to help filter out the noise for specific events security teams should be aware of. This functionality would work on any Syslog server.
By forwarding Veeam events to Splunk, organizations can achieve centralized log management, real-time monitoring, and advanced log analysis capabilities. Splunk's powerful search and analysis features can help identify potential issues, track trends, and optimize backup infrastructure performance. With this integration in place, IT teams can proactively address concerns, ensure data protection, and minimize the impact of backup-related incidents on overall business operations.