Veeam Backup LOG's

[Kudret ÇAĞLAYAN]

I want to monitor the logs of the Veeam Backup application running on my Windows server with wazuh server. I am using the wazuh ova package.

The configuration in my ossec.conf file is as follows.

<localfile>
    <location>Veeam Backup</location>
    <log_format>eventchannel</log_format>
   </localfile>

[Daniel Sappa]

The configuration you've provided is for monitoring logs from a local file named "Veeam Backup" using the "eventchannel" log format. However, it seems like you might be missing some key details in your configuration.

To monitor logs from the Veeam Backup application running on your Windows server with Wazuh, you need to use the Wazuh agent on the Windows server to collect and forward the logs to the Wazuh server.

Here are the steps you need to follow:

1. **Install the Wazuh Agent on the Windows Server**: Download and install the Wazuh agent on your Windows server. You can find the installation instructions on the Wazuh website.

2. **Configure the Wazuh Agent**: Once the agent is installed, you need to configure it to monitor the logs from the Veeam Backup application. You can do this by adding a new rule to the Wazuh agent's configuration file (`ossec.conf`).

   Here's an example of a rule that monitors logs from the Veeam Backup application:

   ```xml
   <localfile>
     <log_format>eventchannel</log_format>
     <location>C:\ProgramData\Veeam\Backup\Backup.log</location>
   </localfile>
   ```

   Replace `C:\ProgramData\Veeam\Backup\Backup.log` with the actual path to the Veeam Backup log file on your Windows server.

3. **Restart the Wazuh Agent**: After making changes to the agent's configuration file, you need to restart the Wazuh agent for the changes to take effect.

4. **Verify the Configuration**: To verify that the Wazuh agent is monitoring the Veeam Backup logs correctly, you can check the Wazuh logs on the Wazuh server. You should see messages indicating that the agent is sending logs to the Wazuh server.

   ```bash
   sudo tail -f /var/ossec/logs/ossec.log
   ```

That's it! You have now configured the Wazuh agent to monitor the logs from the Veeam Backup application on your Windows server.

[Kudret ÇAĞLAYAN]

thanks for your answer.
I installed the agent on my Windows server. To the agent's configuration file (ossec.conf)
I added and tested the following parameters one by one, but Wazuh did not produce a log regarding Veeam backup. I can see Windows security logs and other logs.

 <localfile>
    <location>C:\ProgramData\Veeam\Backup\Svc.VeeamBackup.log</location>
    <log_format>eventchannel</log_format>
   </localfile>

---------------------------------------------

<localfile>
    <location>Veeam Backup</location>
    <log_format>eventchannel</log_format>
   </localfile>

------------------------------------------------

  <localfile>
    <location>C:\Windows\System32\winevt\Logs\Veeam Backup.evtx</location>
    <log_format>eventchannel</log_format>
   </localfile>

3 Mart 2024 Pazar tarihinde saat 15:39:02 UTC+3 itibarıyla Daniel Sappa şunları yazdı:

[Daniel Sappa]

Maybe I had not understood the initial question correctly.
Here I leave the references available https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/monitoring-log-files.html#configuration-for-monitoring-log-files

where it is explained how to configure when you want to monitor Log files.

here you can see that the syslog format should be used instead of eventchannel.

I also leave you the complete reference
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html#log-data-collection

[Kudret ÇAĞLAYAN]

I want to see exactly the logs here on wazuh :) 

5 Mart 2024 Salı tarihinde saat 21:51:04 UTC+3 itibarıyla Daniel Sappa şunları yazdı:

[Daniel Sappa]

Well, then we would have to analyze the logs, can you share the files /var/ossec/log/ossec.log of the manager and the agent?

[Kudret ÇAĞLAYAN]

Sorry for the delay. I am sending the files you requested on both the client and the server as attachments.

10 Mart 2024 Pazar tarihinde saat 16:28:45 UTC+3 itibarıyla Daniel Sappa şunları yazdı:

[Kudret ÇAĞLAYAN]

There is content I want to see in the C:\ProgramData\Veeam\Backup\Svc.VeeamBackup.log directory. If I see the same log file here on Wazuh, it is enough for me. First of all, I don't want to create an alarm.

21 Mart 2024 Perşembe tarihinde saat 12:56:45 UTC+3 itibarıyla Kudret ÇAĞLAYAN şunları yazdı:

[Leonardo Quiceno]

Hi Kudret,

I tell you that my colleague Daniel Sappa is enjoying his vacation period, so I will be answering any questions you have regarding this issue you are experiencing, I was following the exchange of messages you have had and reviewed the files you sent, so far the only thing I see that could be generating that you can not see the log, is that in the ossec.conf file the indentation of the added rule seems to be wrong, you could try to leave it with a structure similar to this:

<localfile>
    <location>C:\ProgramData\VeeamBackup\Svc.VeeamBackup.log</location>
    <log_format>syslog</log_format>
</localfile>

For more information you could look at the following documentation:

https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/monitoring-log-files.html#monitoring-basic-log-files

[Kudret ÇAĞLAYAN]

Hello,
I solved my problem. Since I have little experience with Wazuh, it took me a long time to solve the problem. I fixed the problem by setting <logall_json>yes</logall_json> in the ossec.conf file and Veeam backup logs are coming to Wazuh as archives.

25 Mart 2024 Pazartesi tarihinde saat 05:09:10 UTC+3 itibarıyla Leonardo Quiceno şunları yazdı: