Monitoring Veeam Backup & Replication with Splunk – Part 2 Installing the Plugin and configuring the Firewall

Now that we have installed our Splunk server, we need to do some more installation and configuration.

This part covers the installation of the “Veeam Backup Monitor for Splunk” plugin and the firewall configuration on the Veeam Backup and Replication server and the Splunk Server for future communication.

Downloading the Plugin

First of all we need to download the “Veeam Backup Monitor for Splunk” plugin on the splunkbase. Therefore you will need to create an account within the splunkbase. After creating the account you can simply download the plugin on the right hand side.

download_plugin

After downloading the .tgz file, copy it to your Splunk server. In my case it is a CentOS server. I created a new folder under /tmp/ called “veeam_splunk” where i uploaded the .tgz file with WinSCP. When you copied the .tgz file simply unpack it.

unpack_tgz

After unpacking the .tgz file you will have a folder called “veeam_backup_monitor”.

Installing the Plugin

The installation of the plugin is really easy. All you have to do is to move the unpacked folder “veeam_backup_monitor” to the “apps” directory of your Splunk installation. The folder is called “/opt/splunk/etc/apps”.

move_veeam_plugin

After you have moved the plugin you will need to restart your Splunk server in order to load it. You can simply switch to the binary directory again under “/opt/splunk/bin” and restart your Splunk server.

restart_splunk_server_command

After hitting the above command, your splunk server will shut down and restart again, which should look like this:

splunk_server_restarting

After restarting, head to your webinterface of your Splunk server and try to log in with your URL.

login_to_splunk

If everything went fine you should be able to log in to your server and see the new plugin on the left hand side of your navigation pane.

veeam_plugin_at_splunk_webinterface

If you click on the plugin on the left hand side, you will notice, that you can’t see anything until now. Thats because we didn’t set up any communication between the Veeam Backup & Replication Server and the Splunk Server for now. This will be covered in the last part of the series.

explore_veeam_plugin

Configuring Linux Firewall

In order to prepare for setting up the communication between our Veeam Backup & Replication Server and the Splunk Server, we need to ensure, that the firewall between those both servers won’t block any traffic. As my installation is in a homelab i don’t have any firewalls in between those two machines except the turned on Windows Firewall and the CentOS Firewall.

For the communication between our Veeam and Splunk Server we will have to install a so called “Universal forwarder” on our Veeam Backup & Replication server. This forwarder sends the data to the Splunk server. We will cover the installation and the configuration in the next part of the series. For now, we are going to prepare both servers to prevent the firewalls block each other.

The aim is to open up “port 9997” from the Windows Veeam Backup & Replication Server to the Splunk Server. In order to achieve that, we have to utilize “firewall-cmd” regarding the CentOS Splunk Server. I used the following command to add the port 9997 to the public zone of my CentOS server.

firewall-cmd --zone=public --add-port=9997/tcp --permanent

add_firewall_rule

firewall-cmd --reload

With the above command you are able to reload the firewall settings. If you want to review your made settings, just utilize

firewall-cmd --list-all

list_firewall_rule

Now that we have configured our CentOS Firewall we need to do the same as outgoing traffic on our Veeam Backup & Replication Windows server.

Configuring Windows Firewall

For configuring the Windows Firewall i utilized PowerShell to create a new rule for opening the port 9997.

netsh advfirewall firewall add rule name="Open 9997 for Splunk" dir=out action=allow protocol=TCP localport=9997

set_firewall_windows

With the “Get-NetFirewallRule” cmdlet you are able to recheck if the rule applied successfully and the status is up.

Get-NetFirewallRule -DisplayName "Open 9997 for Splunk"

get_net_firewall_rule

Testing the connection

Now that it seems the firewall rule has been successfully added we have two ways to test the connection. Either using “telnet” or the “Test-NetConnection” cmdlet through PowerShell.

I will cover both methods here.

Testing with Telnet

If you are using telnet, simply use the telnet command with an IP address or DNS name to verify if the port 9997 is open.

telnet splunk01.virtualhome.blog 9997

telnet_test

If you get an empty prompt, you are connected to your server with the desired port.

telnet_test_ok

Testing with Test-NetConnection

When using Test-NetConnection utilize the cmdlet with an IP address or a DNS Name to verifiy if the port 9997 is open.

Test-NetConnection splunk01.virtualhome.blog -Port 9997

test_net_connection

As you can see both tests were successful, which means we have a proper connection between our both servers.

Summary

In this part of the series, I covered the installation of the “Veeam Backup Monitor for Splunk” plugin aswell as the firewall preparation. In the last part of the series i’m going to cover how to set up the communication from the Veeam Backup & Replication server to our Splunk Server by using the universal forwarder.

Thanks for reading and stay tuned !

Go to Part 1: Monitoring Veeam Backup & Replication with Splunk – Part 1 Installation

Go to Part 2: Monitoring Veeam Backup & Replication with Splunk – Part 2 Installing the Plugin and configuring the Firewall

Go to Part 3:Monitoring Veeam Backup & Replication with Splunk – Part 3 Getting Veeam Data into Splunk

 

About Falko Banaszak

Falko is a Consulting Field Solutions Architect for Modern Data Protection based in Germany working at Pure Storage Inc. In the last 12 years he has built a strong focus on virtualization, BCDR and has a passion for Microsoft 365 & storage systems. He's a Veeam Vanguard, a Veeam Certified Engineer, Veeam Certified Architect and a Veeam User Group founder and leader in Germany.

Check Also

VeeamON 2023 Register

VeeamON 2023

VeeamON 2023 is happening from May 22 to May 25 live in Miami or online! …

Leave a Reply

Your email address will not be published. Required fields are marked *