Veeam events to Syslog – Log Insight

Home Lab, How To 5 Minutes

I had some time today, and I started on something sort of cool.  A couple of articles will come out of it.  But here is the first!

Many companies I know and or have visited like to get all of the applications that are important to talk to syslog.  Syslog is a transport protocol that many different applications, and operating systems can work with.  It is old, and not quite perfect, but for connecting dissimilar machines, or consolidating logs it is quite handy.

This is often due to some security or management software that they want to use that speaks syslog.  So if Exchange can send logs via syslog the management app can report more completely on the enterprise health. Sometimes this is so that it is easier to use roles to divide up monitoring – such as security and operations, even though it is mostly the same logs sometimes, but a different way of looking at them.  Syslog empowers a great deal of this, and I have seen it used as the transport protocol in common for a lot of operations, audit, compliance and security activities.

In this article, I am going to look at how to get Veeam logs into syslog.  That will potentially help anyone.  I will use Log Insight as my syslog consolidation server.

First problem though, which Event Log should we work with? Fortunately, Veeam did a nice job on that.

EventLog1

We have an actual channel called Veeam Backup so that is a great start! In browsing of this channel I can see the warning and errors from my playtime in Veeam B&R and this leads me to believe that I will be able to make an intro content pack quite useful.

BTW, while most of this article will talk about Log Insight – which is my syslog / log consolidation tool of choice – the info here can be used in other tools.  Content Packs in Log Insight provide information to understand the info in the logs, and other syslog tools – like Splunk have the same thing although Splunk calls them Application Packs.

There are various free tools to take event logs to syslog.  But, since in my lab I use LI (Log Insight) and it has agents for a number of different OS such as Windows we are good.  A nice thing about this is that with the Log Insight agent, and syslog tool both being Log Insight I don’t actually have to use syslog to transfers the logs.  I can use an API method which is much more preferred as it preserves more of the event log message, and it handles retries too!

Let’s do it – agent ready time!

If you log into LI as an admin, and change to Administration, followed by Agents, at the bottom of the page you can download the necessary agent.
DLAGent
Get the Windows agent and have it handy for your Veeam servers(s).  On your Veeam server you need to install the agent.  It will ask one question – what is the FQDN of your LI server. It will not cause the Veeam server to restart.

Create agent management template

Now we need to select a template for agent management that we want to work with.  This is particularly  useful as we can do centralized configuration of one or more Veeam server agents. If the agent gets reinstalled the config will be downloaded to it from central management so that is quite handy. This template will be used for my one Veeam server but it would be easy to use it for 10 too!

We need to access the Log Insight Administration page, change to the Agents area, and use the dropdown list at the top, as seen below.

Agents1
When you use the drop-down list you need to scroll to the bottom.  At the bottom you will see a template called Microsoft – Windows.  If you don’t see it, you need to add a Microsoft Windows Content pack. You need to select the small icon that means duplicate it – as seen below.  Update: BTW, in LI 4.0 the Microsoft – Windows is replaced with Microsoft – Windows 2008 and Microsoft – Windows 2012 and I used the 2012 with Windows 2016 without issue.
Start2
That will open up a dialog so we can customize the name and description of our template.
Start4
Once it is done use the Copy button.
Start5
 We see our workspace now and we start working at the top. We enter the Filter info for our host.  Suggest using FQDN.  Then use Refresh button.
Start6
As you can see above only the host named veeam.thewhites.ca is present.
We use the Edit button to change from Build so we can add our Veeam specific server info.
Start9
We see a bunch of Event log channels, and I add to each of them enabled=no to try to and make things very clean while I test – meaning only Veeam specific info will be sent to the LI server.  In production after it was working good I would likely enable Security and System again (and restart the LI agent).  At the end I add the Veeam information. So now we can use the Save New Group button to save everything – including pushing the config out to the agent config! We need to re-start the VMware vRealize Log Insight service on the Veeam server to make our changes live.

Test Time

We have created a template group, assigned it to the right host / agent, and restarted the agent.  So we should now see specific Veeam data in LI.  But what if we don’t?

Customization seen?

If not, the first thing to check is in the LI agent folder – on the Veeam server. The folder is:
C:\ProgramData\VMware\Log Insight Agent
Look in the liagent-effective.ini file and you should see your customized information.

Missing Restart?

If you do see your custom info, and you have restarted, but still don’t see anything in LI, check the liagent.ini file to make sure you have used the proper FQDN for the LI server.  If not, correct it and restart.

Agent template filter?

If you don’t see the agent custom info, then you should make sure you applied it to the right host! You can access the newly created template by browsing to it and selecting it. Check the agent filter info, and in fact you should see the agent host in the list.  See below for mine.
Test1
If you don’t see your Veeam host but rather a different host fix the filter and use the Refresh button.

Misconfigured agent config?

You can check the config – much easier using the Edit button that you seen in the screenshot above.

You will need to change from the Build view to the Edit view.  Make sure the agent info you see is similar to what is above.  Make sure enabled=yes for Veeam Backup.  Check spelling and spacing. If you make changes you will need to restart the LI service.

Now it works!

Look what we see in Log Insight now. If you have pretty busy LI, like I do, you need to filter on your Veeam host.  Like I do below.  But what you see is pretty cool right?

LISuccess

I like the look of things we see, and as a result of that I am working on a Content Pack now. If you have questions or comments don’t hesitate to let me know.

Update:

  • 5/4/17 – This info all works, but i wanted to mention that Veeam is releasing the CP itself soon, and via the normal means of the MarketPlace.
  • 2/23/17 – used this with LI 4.0 and Win2K16 and all worked.  But, the liagent-effective.ini looked a little different ([winlog | custom]) has some text added to it but the fact is it worked fine. Also there is no Windows group but used Windows 2012 and all good.
  • Thanks to Rob, I learned that if you do not have the Microsoft – Windows Content Pack installed you will not see the Microsoft – Windows template.  Sorry about that.

Michael

=== END ==

Published

11 thoughts on “Veeam events to Syslog – Log Insight

  1. Very interesing article! Can I use this even with the free Log Insight version for vCenter? Free version does not allow third party content packs…

    Reply

    1. Hi Patrick,

      Yes, this will all work fine with the free version of Log Insight. When we have a Content Pack that will not necessarily work with it however. But you will still get value out of this connection to syslog.

      Michael

      Reply

  5. Michael, you should note that you need the “Microsoft – Windows” content pack to be installed before you begin. Thanks, this is working awesome for us now!

    Reply
  6. Pingback: Veeam Monitoring mit vRealize Log Insight - my cloud-(r)evolution

Leave a Reply