Monitoring Veeam Backup Jobs

1,122 views
Skip to first unread message

Stefano Serano

unread,
Oct 22, 2019, 9:13:49 AM10/22/19
to Wazuh mailing list
Hi all.
I had this quesiton pending with Jesus Gonzales in another thread, but for some reasin Jesus is no more reachable, So here i am:

I'm collecting logs about Veeam Backup jobs from multiple machines to check when backup failed and why. On Kibana i am able to see all the information i need, but i wanna try to filter them in a specific way in order to get them more manageable.

Attached to this mail you can find a log example, on this log you will find a field like message like:

 "data": "9d6771e7-f694-41c8-b019-b04c8651a4aa, 96fc902b-c55d-4943-84b2-79f177fbba0d, 2, 0, 0, True, 1, Retry of Backup job 'FULL-QNAP-451' finished with Failed.\\r\\nJob details: Could not perform threshold check for backup location \"\\\\192.168.1.17\\veeam2018\" due to space info retrievement fail!\\r\\nError: The network path was not found."

The key informations are:

- Backup Job Name: FULL-QNAP-451
- Status: Failed
- Details: Could not perform threshold check for backup location \"\\\\192.168.1.17\\veeam2018\" due to space info retrievement fail!\\r\\nError: The network path was not found
        

I would filter these fields and makes them indexable, please help me to create a powerfull backup monitoring dashboard.

Have a nice day.
log (1).json

José Manuel López del Río

unread,
Oct 23, 2019, 2:40:44 PM10/23/19
to Wazuh mailing list
Hello Stefano,

In order to create a Dashboard, you need to create visualizations first. To create a visualization follow these steps:

1. In Kibana, go to Visualize

1.png

2. Create a new visualization. For this, I recommend using a Data Table. Select the index wazuh-alerts-3.x-*.

3. Then Add a new Bucket 

2.png

4. Then select in Aggregations the type Terms and choose the field of the alert you are going to want to see in the Dashboard. From the alert description you shared, we could get the field data.win.system.message to get the following information: "Retry of Backup job 'FULL-QNAP-451' finished with Failed.". For further information, we could add the field data.win.eventdata.data. adding this field into a new sub-bucket.

3.png



5. Be careful with the Size of the bucket field, when adding a new sub-bucket, it multiplies the total amount of buckets size used. Using a Size of 10 in the first bucket and a size of 10 in the sub-bucket, will cost 100 buckets in total. The total number of buckets allowed by elasticsearch is 10000 in the latest 7.4 version.

6. Save your visualization

4.png

Once you have your visualization created, go to the Dashboard section and create a new Dashboard.

5.png

 Then Add the visualization created previously and save it. From there, you should be able to check all the fields added in the buckets of the visualization.


I hope it helps. Let me know if you need anything.


Best Regards,

Jose Manuel Lopez

Stefano Serano

unread,
Oct 24, 2019, 5:11:48 AM10/24/19
to José Manuel López del Río, Wazuh mailing list
Hi Josè
Thanks for your time, but maybe i've give you few details.

I've create some rules to collect the logs i need to collect (see the attachment), and edited a dashboard by myself in order to see what i want.

Thank to your system now i've a good view of what is appening in my veeam machines, but now i want to push a little further.

As i said in my previous message i want to collect the informations in separate fields, in order to obtain a better visualization of my data.

If you have time to spend, you can search for another thread i've already open time ago but that not come to an end: "Question about custom index fiels"

Have a nice day.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/IH0XlsML1Q4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/323750d9-e991-4353-b949-5569fbf30cd4%40googlegroups.com.
veeam rules.txt

José Manuel López del Río

unread,
Oct 25, 2019, 1:37:10 PM10/25/19
to Wazuh mailing list
Hello Stefano,
The information that is desired to extract is already decoded by the internal windows_eventchannel decoder, which is introducing it in the data.win.eventdata.data field. We are working on a feature to extract specific information from data processed by this decoder. This is the issue created in our repository related to this:  https://github.com/wazuh/wazuh/issues/3193.
Apologies for the inconvenience.
Best Regards,
Jose Manuel Lopez
To unsubscribe from this group and all its topics, send an email to wazuh+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages