Veeam Backup & Replication
Veeam products are logging automaticaly to Windows Event Log. Logs are stored in the Applications and Services Logs folder. You can collect these logs through our Logmanager Beat Agent installed on your windows Veeam server. Since logs are stored in applications log folder, make sure you configured the Logmanager Beat Agent to collect all logs from given agent (either by specific configuration at agent level, or global configuration for all windows agents).
In order to process logs from Veeam correctly, there are three requirements:
- Install Logmanager Beat Agent on the server where Veeam Backup & Replication is running.
- In the GUI Logmanager, go to Sources/Beats agents and click the blue pen icon to edit. For the installed agent, set Event Sources to “All Event Sources”.
Logmanager GUI configuration
- Now we need to create a parser so that Logmanager handles logs/events correctly.
- Go to Parser/Classifiers in the GUI Logmanager.
- Create a new classifier or edit your unique classifier you are using and set the classification as follows:
Example of correct classification
You can copy the XML code and use it for a new classifier
<xml xmlns="http://www.w3.org/1999/xhtml">
<variables></variables>
<block type="def" id="1" deletable="false" x="-3187" y="-637">
<statement name="STACK">
<block type="controls_if" id="*QXB9vpeG|$+q5ujyn4P">
<value name="IF0">
<block type="logic_compare" id="lr^,i]q`v%SbRoPJ=VqG">
<field name="OP">EQ</field>
<value name="A">
<block type="dictionaries_get_index" id="s)3FbyuvP1pY1Q@r;[?R">
<mutation statement="false" at="true"></mutation>
<value name="VALUE">
<block type="message" id="@ftHa%)o~M_?*hMoUZnG">
<field name="OBJECT">meta</field>
</block>
</value>
<value name="AT">
<block type="text" id="*]W+OxB;rY%Ge;.[k+1D">
<field name="TEXT">plugin</field>
</block>
</value>
</block>
</value>
<value name="B">
<block type="text" id="~Mv.W.FIZyz::1nR@r2(">
<field name="TEXT">beats</field>
</block>
</value>
</block>
</value>
<statement name="DO0">
<block type="controls_if" id="]_QT,2v_Dt/Sux|5ACyc">
<value name="IF0">
<block type="logic_is_in" id="AXt|P,8YvhYd*Was(2`q">
<value name="A">
<block type="text" id="X[BxPA!+I!Gn~ShJjX]9">
<field name="TEXT">channel</field>
</block>
</value>
<value name="B">
<block type="dictionaries_get_index" id="rQM]!a]tI?k2ThjpVd;S">
<mutation statement="false" at="true"></mutation>
<value name="VALUE">
<block type="message" id="3-_2enog3KdN{%FA~+@J">
<field name="OBJECT">structured_data</field>
</block>
</value>
<value name="AT">
<block type="text" id="CV|Cf!d][aC/ho^/1sPP">
<field name="TEXT">winlog</field>
</block>
</value>
</block>
</value>
</block>
</value>
<statement name="DO0">
<block type="controls_if" id="05u@n_hO(O7=vXuyV|(-">
<value name="IF0">
<block type="logic_is_in" id="r.1Pf+5[F1!SFoLiM^L9">
<value name="A">
<block type="text" id="5@Kq[NGX{E+VU4bKTN)m">
<field name="TEXT">Veeam</field>
</block>
</value>
<value name="B">
<block type="dictionaries_get_index" id="y;4v*k~Y)[uIE61[Fo@B">
<mutation statement="false" at="true"></mutation>
<value name="VALUE">
<block type="dictionaries_get_index" id="Q:f|]Za1;-D-+[A~Vx]p">
<mutation statement="false" at="true"></mutation>
<value name="VALUE">
<block type="message" id=";WIj%ZODx.J7vetK,um7">
<field name="OBJECT">structured_data</field>
</block>
</value>
<value name="AT">
<block type="text" id="G9r.FhYBbj3%v4;j`:1n">
<field name="TEXT">winlog</field>
</block>
</value>
</block>
</value>
<value name="AT">
<block type="text" id="+s9xm1NPawO=:G*D$[y0">
<field name="TEXT">channel</field>
</block>
</value>
</block>
</value>
</block>
</value>
<statement name="DO0">
<block type="classifier_pass_to_parser" id="_NaJx??vg+Ge`L.(d!vI">
<field name="TARGET">ccfb01bd-d446-4e07-b64b-f6db64e280fb</field>
</block>
</statement>
</block>
</statement>
</block>
</statement>
</block>
</statement>
</block>
</xml>
Sample XML code for Veeam Backup & Replication classification