Veeam Backup & Replication
Veeam products are logging automaticaly to Windows Event Log. Logs are stored in Applications and Services Logs folder. You can collect these logs through our Logmanager Beat Agent installed on your windows Veeam server. Since logs are stored in applications log folder, make sure you configured Logmanager Beat Agent to collect all logs from given agent (either by specific configuration at agent level, or global configuration for all windows agents).
In order to process logs from Veeam correctly, there are three requirements:
- Install Logmanager Beat Agent on the server where is running Veeam Backup & Replication.
- For the installed agent in the GUI Logmanager, set Event Sources to “All Event Sources”. Sources/Beats agents - select and click on the blue pen icon to edit
Logmanager GUI configuration
- Now we need to create a parser so that Logmanager handles logs/events correctly.
- Go to Parser/Classifiers in the GUI Logmanager.
- Create a new classifier or edit your unique classifier you are using and set the classification as follows:
Example of correct classification
You can copy the XML code and use it for a new classifier
<xml xmlns="http://www.w3.org/1999/xhtml">
<variables></variables>
<block type="def" id="1" deletable="false" x="-3187" y="-637">
<statement name="STACK">
<block type="controls_if" id="*QXB9vpeG|$+q5ujyn4P">
<value name="IF0">
<block type="logic_compare" id="lr^,i]q`v%SbRoPJ=VqG">
<field name="OP">EQ</field>
<value name="A">
<block type="dictionaries_get_index" id="s)3FbyuvP1pY1Q@r;[?R">
<mutation statement="false" at="true"></mutation>
<value name="VALUE">
<block type="message" id="@ftHa%)o~M_?*hMoUZnG">
<field name="OBJECT">meta</field>
</block>
</value>
<value name="AT">
<block type="text" id="*]W+OxB;rY%Ge;.[k+1D">
<field name="TEXT">plugin</field>
</block>
</value>
</block>
</value>
<value name="B">
<block type="text" id="~Mv.W.FIZyz::1nR@r2(">
<field name="TEXT">beats</field>
</block>
</value>
</block>
</value>
<statement name="DO0">
<block type="controls_if" id="]_QT,2v_Dt/Sux|5ACyc">
<value name="IF0">
<block type="logic_is_in" id="AXt|P,8YvhYd*Was(2`q">
<value name="A">
<block type="text" id="X[BxPA!+I!Gn~ShJjX]9">
<field name="TEXT">channel</field>
</block>
</value>
<value name="B">
<block type="dictionaries_get_index" id="rQM]!a]tI?k2ThjpVd;S">
<mutation statement="false" at="true"></mutation>
<value name="VALUE">
<block type="message" id="3-_2enog3KdN{%FA~+@J">
<field name="OBJECT">structured_data</field>
</block>
</value>
<value name="AT">
<block type="text" id="CV|Cf!d][aC/ho^/1sPP">
<field name="TEXT">winlog</field>
</block>
</value>
</block>
</value>
</block>
</value>
<statement name="DO0">
<block type="controls_if" id="05u@n_hO(O7=vXuyV|(-">
<value name="IF0">
<block type="logic_is_in" id="r.1Pf+5[F1!SFoLiM^L9">
<value name="A">
<block type="text" id="5@Kq[NGX{E+VU4bKTN)m">
<field name="TEXT">Veeam</field>
</block>
</value>
<value name="B">
<block type="dictionaries_get_index" id="y;4v*k~Y)[uIE61[Fo@B">
<mutation statement="false" at="true"></mutation>
<value name="VALUE">
<block type="dictionaries_get_index" id="Q:f|]Za1;-D-+[A~Vx]p">
<mutation statement="false" at="true"></mutation>
<value name="VALUE">
<block type="message" id=";WIj%ZODx.J7vetK,um7">
<field name="OBJECT">structured_data</field>
</block>
</value>
<value name="AT">
<block type="text" id="G9r.FhYBbj3%v4;j`:1n">
<field name="TEXT">winlog</field>
</block>
</value>
</block>
</value>
<value name="AT">
<block type="text" id="+s9xm1NPawO=:G*D$[y0">
<field name="TEXT">channel</field>
</block>
</value>
</block>
</value>
</block>
</value>
<statement name="DO0">
<block type="classifier_pass_to_parser" id="_NaJx??vg+Ge`L.(d!vI">
<field name="TARGET">ccfb01bd-d446-4e07-b64b-f6db64e280fb</field>
</block>
</statement>
</block>
</statement>
</block>
</statement>
</block>
</statement>
</block>
</xml>
Sample XML code for Veeam Backup & Replication classification