Splunk Enterprise is a powerful platform that automates the collection, indexing, monitoring, and alerting of data. This enables you to aggregate and analyze events efficiently. With Splunk, you can gain full control over your data flow and leverage it to drive business insights. Kindly read about data management and governance. In this acticle, we shall discuss how to install Splunk and Veeam App on Windows Server to monitor VBR. Please see how to Set up Veeam Backup for Microsoft Azure, and how to Upgrade Veeam Backup and Replication to version 12.2.

Splunk serves as a vital Security Information and Event Management (SIEM) tool. This is great for achieving cybersecurity compliance. In today’s business landscape, monitoring your environment and addressing security concerns require constant analysis and review of logs.

Organizations generate immense volumes of data, making log analysis the most effective method for tracking key performance indicators and detecting incidents in real-time. Implementing SIEM solutions like Splunk allows businesses to stay ahead of potential risks and maintain a proactive stance on cybersecurity.

This then formulate an incident response plan that will help mitigate security incidents and quickly restore compromised data or systems.

Also, see how to uninstall Veeam Backup and Replication from your server, and how to “Fix Error 1069: Windows could not start the Veeam backup service on local computer“.

Why would you want to integrate Splunk?

Note: Splunk is a proprietary security and observability platform. It is designed to index large amounts of machine data (logs, events, and metrics) from a variety of sources and to provide a range of features for searching, analyzing, and visualizing that data so as to provide valuable observability insights.

When considering the top platforms for log analysis and security information and event management (SIEM) solutions. The ELK Stack, Splunk, and Sumo Logic stand out as leading choices as described in the image below.

Outside the capabilities in the table above. Splunk stands out as a top choice for log analysis and SIEM solutions. This because of its powerful capabilities in data indexing, search, and real-time monitoring.

It provides advanced analytics and visualization tools that allow users to easily detect and respond to security threats,. Thereby, making it highly effective for enterprise-level security operations.

Splunk also excels in scalability, handling massive amounts of data across different sources with ease. Its flexibility supports a wide range of use cases, including IT operations, security, and business intelligence, all within a single platform.

Additionally, Splunk integrates seamlessly with various third-party applications. An example is the Veeam App for VBR (Veeam Backup & Replication). This integration allows for centralized monitoring, reporting, and alerting of backup operations, contributing to a more robust and efficient infrastructure management.

Choosing Splunk ensures you get a comprehensive solution that supports both security monitoring and operational efficiency. With the added benefit of compatibility with key tools like Veeam for enhanced backup management.

Before proceeding with the article, Veeam App for Splunk supports both Splunk Enterprise and Splunk Cloud Platform only at the time of writing this article.

To learn about the steps to create a VM, please see the following articles “, How to Create a Windows Server VM on HyperV, and How to Create Hyper-V Virtual Switch. Also, see How to run Windows 11 on HyperV, and Generation 2 VM: Set up a HyperV VM through PXE boot.

Create a VM to install Splunk

The aim of this section is to make it relatively easy for newbies to deploy their own Splunk environment. If you already have a VM, you can skip this section. Proceed to Hyper-V or your own virtualisation platform and create a VM and Windows Windows Server.

Here I am creating a VM on Hyper-V. Click Finish to finalise the VM creation.

Install Windows Server Operating System

After creating the VM, you will have to attach an ISO image to the VM in order to install the OS. All these have been discussed in the links above.

After loading the files and selecting the language, and keyboard language to install. You will be prompted to install the OS.

After the installation is complete. You will be prompted to login as shown below. Now you have your environment ready to install Splunk. Congratuations!

Basic house-keeping rules, please perform some post OS configuration. You will find more details here “Post OS installation: Configure the properties of Windows Server“. Also, see How to join a computer to the Domain.

If you created a VM on HyperV and did not install the OS immediately and then started the VM. You may get the following error. But this guide shows the steps on how to fix the issue “Fix PXE Boot Stuck or No Boot Image was found for HyperV VM“.

Here, I have configured the TCP/IP, changed computer name and joined the server to the domain.

Do not forget to apply Windows Updates as well.

How does the Veeam App for Splunk Work?

Data inputs configuration depends on your SIEM infrastructure as explained by Veeam. Veeam App for Splunk supports the following architectures:

• Splunk acts as a receiver: Receives data from Veeam Backup & Replication through the forwarder installed on the intermediate syslog server.
• Splunk acts as a forwarder : Here, it receives data directly from Veeam Backup & Replication. Then forwards it to another Splunk instance, syslog server, or third-party solution.
• Lastly, Splunk acts as the only syslog server. It receives data directly from Veeam Backup & Replication. This is my configuration choice!

Having explained the architectures above and also in the image. When Splunk acts as the only syslog server, it directly receives data from sources like Veeam Backup & Replication. Therefore, there is no need for a forwarder. The data is sent directly to Splunk’s indexer, where it is stored and made available for search and analysis without passing through a forwarder.

The Veeam App for Splunk allows Veeam Data Platform and Premium customers to monitor the health and security status of the Veeam backup infrastructure using Splunk capabilities.

The app processes events sent by Veeam Backup & Replication to the syslog server and displays data using various visualization methods. Below are some of the features:

• Built-in dashboards to monitor job statuses and security events in real-time
• Built-in reports and alerts
• Severity level management for events and alerts
• Multiple Veeam Backup & Replication servers support
• Multiple data source locations support
• Role-based permissions for locations
• App configuration backup

In latter section, we shall discuss how to install Veeam App for Splunk. But let us get to business and have Splunk installed first.

Please see how to Analyse Disks with Treesize: Defragment and Shrink VMware Workstation VM Disks, and how to configure Windows LAPS.

Install Splunk On Windows Server

Please navigate to the Splunk website to download Splunk Enterprise. As a first user, you will be required to create your account. Please fill out the form as shown below.

After a successful account creation and account verification. You will be prompted to enter a new password as shown below.

Proceed to have Splunk downloaded. You can see the supported platform are Windows 10, Windows Server 2019, and 2022 for now.

Upon download, double click on the installer as shown below. Shortly, you will be prompted to accept the license terms and then click on Next.

Kindly enter your username and password. This will be needed to administer Splunk.

Now, hit the install buttons as shown below.

Select launch browser with Splunk Enterprise and click on Finish.

Please enter the credential you created above and click on sign-in.

Congratulations, you have successfully installed Splunk.

You can start performing your SPL queries. In Splunk, search queries are referred to as Search Processing Language (SPL) queries. SPL is a powerful language designed specifically for searching, analyzing, and visualizing data within Splunk.

With the two images after directly installing Splunk. It is safe to say Splunk is “splunking” itself! Haha

Below is another SPL query. This command retrieves the first 10 events from the _audit index. Thereby enabling you to quickly view recent audit activity.

You can also create your own custom dashboard on Splunk. But, this is not the scope of this guide.

Please see how to Migrate Veeam Configuration Database to PostgreSQL Server, and how to Setup DS923+ Synology NAS as a Backup Repository for VBR.

Configure Syslog Server Parameters on VBR

As discussed above, we have decided to use Splunk as a syslog server only. Therefore, we will configure the Syslog server from VBR. Before you install Veeam App for Splunk, make sure that you add your syslog server to the Veeam Backup & Replication console. If you are proficient, you can do without following the rules, lol.

By the way, Rick asked Chris a question on the “hands on demo for Splunk” if you could add multiple syslog server on VBR? He responded correctly and according to the documentation as well, you can only add one syslog server to VBR at a time. I will embed the video at the end of this guide. Do well to watch it to the end for the Q&A.

To do this, head over to the VBR server. From the menu, select Options.

From the Options wizard, please select “Event Forwarding”.

If there is no data ingestion and you have configured the data input and syslog correctly. You may want to switch to the Syslog IP Address (Splunk Server) in this case.

The app relies on the syslog server to forward logs such as backup job status, system events, etc., to Splunk. You will not be able to see any data or dashboards populated in the Veeam app until the syslog server is properly configured and logs start flowing into Splunk.

Here is How to troubleshoot Active Directory Replication issues. Also, see How to determine Active Directory Site Name.

Create Firewall Rules

You may want to make sure that there is no Firewall blocking the traffic for port 514 between the devices and your Splunk instance that is to be collecting these events. This could also be a reason for no data ingestion.

Below is our Splunk Instance (Syslog server). Allow inbound traffic on UDP port 514 for the IP range or the specific IP address of the Veeam Backup & Replication server.

On the VBR (Veeam Backup and Replication Server). We also need to configure an outbound traffic to UDP on port 514 specifically for the Splunk Server’s IP address which is the recommended best practice.

Here is how to Configure WinRM to accept connection from a specific IP Address. Also, see some Cybersecurity Tips to Secure Synology NAS against Ransomware.

Installing App from Splunkbase

Using an app for Splunk simplifies data visualization and analysis with pre-built dashboards and reports. And this makes it more accessible for non-SOC analysts who may not be familiar with complex SPL queries.

Leveraging Veeam Event Forwarding capabilities, the Veeam App for Splunk includes monitoring and security dashboards, security alerts, and reports. The app integrates seamlessly with Splunk user roles and location management.

The Veeam App for Splunk allows Veeam Data Platform Advanced and Premium customers to monitor the health and security status of the Veeam backup infrastructure using Splunk capabilities. This app processes events sent by Veeam Backup & Replication to the syslog server and displays data using various visualization methods. Main features include:

• Built-in dashboards to monitor job statuses and security events in real time – Built-in reports and alerts
• Severity level management for events and alerts – Multiple Veeam Backup & Replication servers support
• Multiple data source locations support
• Role-based permissions for locations and
• App configuration backup Veeam App for Splunk supports both Splunk Enterprise and Splunk Cloud Platform.

Method 1: Install Veeam App from File

Note: The App itself is available for free and can be installed or downloaded also from Splunkbase. This first method shows the steps on how to download and install Veeam App from file when there is no internet access.

To download and install Veeam App for Splunk from Splunkbase website. Log in to Splunk Web as shown below.

Click on download

Accept the license terms

Shortly, the file will be download and you can now install the Veeam App. But, I love the second option better and this is what I will be showing you in details.

Method 2: Download Veeam App from Splunkbase

To do this, click on Apps and from the drop-down menu. Select Find More Apps.

Search for Veeam App for Splunk and click Install.

Please enter your Splunk Account username and password and click on Agree and Install.

After successful installation, restart Splunk Web if required.

Click on Okay on the prompt below showing restart successful.

Note: You will be prompted to login again. Please proceed and enter your Splunk account name and password and click on login.

Now. click on open app

Please see How to delete User Profile in Windows, and how to . Perform Key Distribution Center Service [krbtgt] Password reset.

Configuring data input

To complete the installation, we will need to configure data inputs. As mentioned above, since Splunk is acting as the only syslog server which will receive data directly from Veeam Backup & Replication. We will specify the veeam_vbr_syslog as source type. Please see Splunk documentation for more information.

Add a network input using Splunk Web

To do this via the web, click on Settings and under Data, select “Data inputs”.

Click on UDP as shown below.

Click New Local UDP

Select UDP and ensure you enter the Port “514” and click on Next.

For the input settings, according to the Veeam documentation, please specify the veeam_vbr_syslog source type

For the host, you can select DNS

But if after configuring the data input and you run into errors, please delete the old entry and create a new data input and please select IP this time.

Please click on submit.

As I said above, with the DNS enty for host. I had issues as there were no events.

So I went back and reconfigured the data input. You can see, this has been changed to IP Address.

Now click on start searching as shown below.

Events are being Parsed

The events are coming through. That is a good sign, right!

You can expand the entry

Configuring Veeam App for Splunk

To do this, click on the App Configuration

Select Events as shown below.

The Events section displays the list of specific Veeam events sent by the syslog server. Events configuration affects dashboards, reports, and alerts.

Please change the default severity as you wish.

Configure Location

From the Location section, you can manage multiple locations with VBR servers used as data source hosts. To add a location, please select locations and click on Add.

Enter your location as shown below. Specify the name and select the country. All other field will be pre-populated when you click on each one.

We have configured our location.

App Configuration Backup

In the Configuration Backup section, you can manually back up your custom app configuration. So, let’s proceed and manually backup our configuration database.

To create an app configuration backup, click Back up configuration. The configuration backup file will be automatically downloaded in the JSON format.

If you ever have the need to restore the app configuration. Select the configuration backup file and click Restore configuration.

Please see How to create a Dev Drive on Windows 11, and how to Configure Windows Device Inactivity Limit Locally and Domain Wide. Also, see Docker Setup: Monitoring Synology with Prometheus and Grafana.

Dashboard

Veeam App for Splunk allows you to monitor job statuses and security events using the following built-in dashboards:

• Veeam Data Platform Monitoring
• Veeam Security Events

The below is the “Veeam Security Events”. The Veeam Security Events dashboard displays infrastructure security state and aggregated information about security events triggered on your Veeam Backup & Replication servers.

By default, data is shown from all locations for the last 30 days. To filter data, you can specify another time period, location, or data source host. The Security Status panel and the map chart always display data for the last 24 hours.

You can click on the Security vents to drill down on what is happening behind the scene and can now view the events in detail.

The Veeam Data Platform Monitoring dashboard displays aggregated information about jobs run on your Veeam Backup & Replication servers.

By default, data is shown from all locations for the last 30 days. To filter data, you can specify another time period, location, or data source host.

Please take a look at this YouTube video on how to install Splunk and Veeam App on Windows Server to monitor VBR.

Add Splunk Dev NFR License

To install a license for a standalone instance of Splunk Enterprise. I was lucky to get a DEV NFR license. On the instance, navigate to Settings

And select License

Click Add license.

Select license

If you have a license, browse to it and click on open

Install license

You will be prompted to restart splunk

As you can see below, Splunk is restarting. If you run into issues, cancel and restart.

Below is the license status

Synology Log Center as Syslog Server

For those that do not have the money for Splunk. You can use an external syslog server to manage events written by Veeam Backup & Replication.

Note: The Synology Log Center provides basic visualization capabilities for log data. It does not offer the same level of advanced analytics and visualization features as Splunk

I will be showing you how the Synology Log Center works as a syslog server in a subsequent article. until then, know you can also utlize it.

I hope you found this article very useful on how to “Install Splunk and Veeam App on Windows Server to monitor VBR”. Please feel free to leave a comment below.