I had some time today, and I started on something sort of cool. A couple of articles will come out of it. But here is the first!
Many companies I know and or have visited like to get all of the applications that are important to talk to syslog. Syslog is a transport protocol that many different applications, and operating systems can work with. It is old, and not quite perfect, but for connecting dissimilar machines, or consolidating logs it is quite handy.
This is often due to some security or management software that they want to use that speaks syslog. So if Exchange can send logs via syslog the management app can report more completely on the enterprise health. Sometimes this is so that it is easier to use roles to divide up monitoring – such as security and operations, even though it is mostly the same logs sometimes, but a different way of looking at them. Syslog empowers a great deal of this, and I have seen it used as the transport protocol in common for a lot of operations, audit, compliance and security activities.
In this article, I am going to look at how to get Veeam logs into syslog. That will potentially help anyone. I will use Log Insight as my syslog consolidation server.
First problem though, which Event Log should we work with? Fortunately, Veeam did a nice job on that.
We have an actual channel called Veeam Backup so that is a great start! In browsing of this channel I can see the warning and errors from my playtime in Veeam B&R and this leads me to believe that I will be able to make an intro content pack quite useful.
BTW, while most of this article will talk about Log Insight – which is my syslog / log consolidation tool of choice – the info here can be used in other tools. Content Packs in Log Insight provide information to understand the info in the logs, and other syslog tools – like Splunk have the same thing although Splunk calls them Application Packs.
There are various free tools to take event logs to syslog. But, since in my lab I use LI (Log Insight) and it has agents for a number of different OS such as Windows we are good. A nice thing about this is that with the Log Insight agent, and syslog tool both being Log Insight I don’t actually have to use syslog to transfers the logs. I can use an API method which is much more preferred as it preserves more of the event log message, and it handles retries too!
Let’s do it – agent ready time!
Get the Windows agent and have it handy for your Veeam servers(s). On your Veeam server you need to install the agent. It will ask one question – what is the FQDN of your LI server. It will not cause the Veeam server to restart.
Create agent management template
Now we need to select a template for agent management that we want to work with. This is particularly useful as we can do centralized configuration of one or more Veeam server agents. If the agent gets reinstalled the config will be downloaded to it from central management so that is quite handy. This template will be used for my one Veeam server but it would be easy to use it for 10 too!
We need to access the Log Insight Administration page, change to the Agents area, and use the dropdown list at the top, as seen below.
C:\ProgramData\VMware\Log Insight Agent
Agent template filter?
Misconfigured agent config?
You can check the config – much easier using the Edit button that you seen in the screenshot above.
You will need to change from the Build view to the Edit view. Make sure the agent info you see is similar to what is above. Make sure enabled=yes for Veeam Backup. Check spelling and spacing. If you make changes you will need to restart the LI service.
Now it works!
Look what we see in Log Insight now. If you have pretty busy LI, like I do, you need to filter on your Veeam host. Like I do below. But what you see is pretty cool right?
I like the look of things we see, and as a result of that I am working on a Content Pack now. If you have questions or comments don’t hesitate to let me know.
- 2/23/17 – used this with LI 4.0 and Win2K16 and all worked. But, the liagent-effective.ini looked a little different ([winlog | custom]) has some text added to it but the fact is it worked fine. Also there is no Windows group but used Windows 2012 and all good.
- Thanks to Rob, I learned that if you do not have the Microsoft – Windows Content Pack installed you will not see the Microsoft – Windows template. Sorry about that.
=== END ==