Now that we have installed our Splunk server, we need to do some more installation and configuration.
This part covers the installation of the “Veeam Backup Monitor for Splunk” plugin and the firewall configuration on the Veeam Backup and Replication server and the Splunk Server for future communication.
Downloading the Plugin
First of all we need to download the “Veeam Backup Monitor for Splunk” plugin on the splunkbase. Therefore you will need to create an account within the splunkbase. After creating the account you can simply download the plugin on the right hand side.
After downloading the .tgz file, copy it to your Splunk server. In my case it is a CentOS server. I created a new folder under /tmp/ called “veeam_splunk” where i uploaded the .tgz file with WinSCP. When you copied the .tgz file simply unpack it.
After unpacking the .tgz file you will have a folder called “veeam_backup_monitor”.
Installing the Plugin
The installation of the plugin is really easy. All you have to do is to move the unpacked folder “veeam_backup_monitor” to the “apps” directory of your Splunk installation. The folder is called “/opt/splunk/etc/apps”.
After you have moved the plugin you will need to restart your Splunk server in order to load it. You can simply switch to the binary directory again under “/opt/splunk/bin” and restart your Splunk server.
After hitting the above command, your splunk server will shut down and restart again, which should look like this:
After restarting, head to your webinterface of your Splunk server and try to log in with your URL.
If everything went fine you should be able to log in to your server and see the new plugin on the left hand side of your navigation pane.
If you click on the plugin on the left hand side, you will notice, that you can’t see anything until now. Thats because we didn’t set up any communication between the Veeam Backup & Replication Server and the Splunk Server for now. This will be covered in the last part of the series.
Configuring Linux Firewall
In order to prepare for setting up the communication between our Veeam Backup & Replication Server and the Splunk Server, we need to ensure, that the firewall between those both servers won’t block any traffic. As my installation is in a homelab i don’t have any firewalls in between those two machines except the turned on Windows Firewall and the CentOS Firewall.
For the communication between our Veeam and Splunk Server we will have to install a so called “Universal forwarder” on our Veeam Backup & Replication server. This forwarder sends the data to the Splunk server. We will cover the installation and the configuration in the next part of the series. For now, we are going to prepare both servers to prevent the firewalls block each other.
The aim is to open up “port 9997” from the Windows Veeam Backup & Replication Server to the Splunk Server. In order to achieve that, we have to utilize “firewall-cmd” regarding the CentOS Splunk Server. I used the following command to add the port 9997 to the public zone of my CentOS server.
firewall-cmd --zone=public --add-port=9997/tcp --permanent
With the above command you are able to reload the firewall settings. If you want to review your made settings, just utilize
Now that we have configured our CentOS Firewall we need to do the same as outgoing traffic on our Veeam Backup & Replication Windows server.
Configuring Windows Firewall
For configuring the Windows Firewall i utilized PowerShell to create a new rule for opening the port 9997.
netsh advfirewall firewall add rule name="Open 9997 for Splunk" dir=out action=allow protocol=TCP localport=9997
With the “Get-NetFirewallRule” cmdlet you are able to recheck if the rule applied successfully and the status is up.
Get-NetFirewallRule -DisplayName "Open 9997 for Splunk"
Testing the connection
Now that it seems the firewall rule has been successfully added we have two ways to test the connection. Either using “telnet” or the “Test-NetConnection” cmdlet through PowerShell.
I will cover both methods here.
Testing with Telnet
If you are using telnet, simply use the telnet command with an IP address or DNS name to verify if the port 9997 is open.
telnet splunk01.virtualhome.blog 9997
If you get an empty prompt, you are connected to your server with the desired port.
Testing with Test-NetConnection
When using Test-NetConnection utilize the cmdlet with an IP address or a DNS Name to verifiy if the port 9997 is open.
Test-NetConnection splunk01.virtualhome.blog -Port 9997
As you can see both tests were successful, which means we have a proper connection between our both servers.
In this part of the series, I covered the installation of the “Veeam Backup Monitor for Splunk” plugin aswell as the firewall preparation. In the last part of the series i’m going to cover how to set up the communication from the Veeam Backup & Replication server to our Splunk Server by using the universal forwarder.
Thanks for reading and stay tuned !