Hi,
we recently installed the Veeam App for Splunk and put the logs from our Veeam Backup & Replication and Veeam One server into it. Unfortunatelly we are getting no data in the Veeam Data Platform Monitoring or Veeam Security Events section.
We can see the raw logs and also the fileds.
Does anyone has an idea why we are getting no data in the veeam app?
Best regards
The Veeam Backup & Replication Events (VeeamVbrEvents) Data Model requires the "original_host" field to be in events.
Looking at your screenshots, it looks like that field is missing from your events - I've come across this issue too.
The Veeam app includes a "veeam_vbr_syslog : EXTRACT-original_host" field extraction that wasn't working for me - it used this regex:
\d+-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[\+\-]\d{2}:\d{2}\s(?<original_host>\S+)
This is expecting the "original_host" to be listed in the raw event after the timestamp and a space.
Are you sending syslog direct to Splunk as per the Veeam App documentation, or are you sending it via SC4S or another syslog server?
In the scenario I came across this issue, Veeam was sending syslog to SC4S which was stripping the timestamp out of the raw event, therefore breaking the original_host extraction.
SC4S was actually setting the "host" value for each event correctly, so I was able to add a Field Alias instead - set to apply to the veeam_vbr_syslog sourcetype and set host = original_host like this:
Hi aind,
your suggestions sounded good and I created a field alias for host to original_host with the source veeam as follows
Unfortunatelly this didn't help. Do you have any other ideas or did I something wrong?
Hi richgalloway,
from my point of view the index and the datamodel fields are looking good.
you are right but there are logs which have the instanceid field.
