Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to setup Veeam app in distributed environment

Andre_
Path Finder
2 weeks ago

Hello,

Veeam App for Splunk 
how do you install/configure the Veeam App in a distributed environment? Search Head Cluster, Index Cluster and Heavy Forwarders behind Load balancer for Syslog.

Do I have to install the App on Search Head / Heavy Forwarder and Indexers? What about Syslog going through a load balancer, will that impact the props/transforms I need?

Kind Regards

Andre

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

Did you check https://helpcenter.veeam.com/docs/security_plugins_splunk/guide/ ?

I admit it's not very detailed. And it's not obvious what is inside the app. Contrary to the good practice of splitting the third party solution related functionalities into two modules - add-on for data input and parsing and app for visualization, this one seems to be a all-in-one approach. That means that you probably need it both on your SH tier servers as well as in the ingestion path (whether this means indexers or HF depends on your architecture, as always).

Oh, and when I see "syslog through load-balancer", there's probably something suboptimal in your environment.

0 Karma
Reply

Andre_
Path Finder
2 weeks ago

I’ve read the doco and that’s  what I am wondering about where do I need the app and do I have to enable/disable certain parts.

it also has a “config” as part of the app, so that can only be done on the search head but it looks like the settings will be needed on the HF and indexer. Also no mention how to configure the index.

regards syslog behind a load balancer, it’s a pain in the B with Splunk but how else do you ensure you are not missing data when you patch/restart your HF?

syslog source -> single HF tcp/udp 
=> every restart of Splunk on the HF = data loss

syslog source-> LB -> multiple HF tcp/udp
=> no data loss when restarting Splunk on one HF

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

That's one of the reasons why receiving syslog directly on the Splunk component is not a great idea. It's better offloaded to an external syslog receiver.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...