Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

how to setup Veeam app in distributed environment

Andre_
Path Finder
‎12-06-2025 09:15 PM

Hello,

Veeam App for Splunk 
how do you install/configure the Veeam App in a distributed environment? Search Head Cluster, Index Cluster and Heavy Forwarders behind Load balancer for Syslog.

Do I have to install the App on Search Head / Heavy Forwarder and Indexers? What about Syslog going through a load balancer, will that impact the props/transforms I need?

Kind Regards

Andre

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-07-2025 12:02 AM

Did you check https://helpcenter.veeam.com/docs/security_plugins_splunk/guide/ ?

I admit it's not very detailed. And it's not obvious what is inside the app. Contrary to the good practice of splitting the third party solution related functionalities into two modules - add-on for data input and parsing and app for visualization, this one seems to be a all-in-one approach. That means that you probably need it both on your SH tier servers as well as in the ingestion path (whether this means indexers or HF depends on your architecture, as always).

Oh, and when I see "syslog through load-balancer", there's probably something suboptimal in your environment.

0 Karma
Reply

Andre_
Path Finder
‎12-07-2025 03:02 AM

I’ve read the doco and that’s  what I am wondering about where do I need the app and do I have to enable/disable certain parts.

it also has a “config” as part of the app, so that can only be done on the search head but it looks like the settings will be needed on the HF and indexer. Also no mention how to configure the index.

regards syslog behind a load balancer, it’s a pain in the B with Splunk but how else do you ensure you are not missing data when you patch/restart your HF?

syslog source -> single HF tcp/udp 
=> every restart of Splunk on the HF = data loss

syslog source-> LB -> multiple HF tcp/udp
=> no data loss when restarting Splunk on one HF

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-07-2025 08:34 AM

That's one of the reasons why receiving syslog directly on the Splunk component is not a great idea. It's better offloaded to an external syslog receiver.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...