So you have a Veeam Backup for Azure (VBAZ) to protect your Azure resource, but wouldn’t it be great if you could truly see what’s happening under the hood? Basic monitoring is a start, but you should dive into the logs to understand your VBAZ environment better. And what better place to do that than with Azure Log Analytics, a feature of Azure Monitor?
In this post, I’ll show you how to set up log monitoring for Veeam Backup for Azure using Azure Log Analytics, unlocking a wealth of insights into your backup operations.
NOTE: Veeam does not support Azure monitor, however, it is a widely used tool for the monitoring of Production resources. Please consult your Azure technical resources before implementing.
Why bother with Log Monitoring?
Think of logs as the ‘black box’ recorder of your VBAZ environment. They capture everything from successful backups to insights into issues and things like failed logins and performance bottlenecks. By analysing these logs, you can:
- Identify and resolve issues: catch errors before they impact your backups and restores.
- Enhance security: Detect and respond to suspicious activity, like failed login attempts.
- Gain deeper insights: Understand your backup trends and make informed decisions about resource allocation.
This can be combined with Veeam Backup and Replication’s syslog functionality for the ultimate logging solution.
Diving into Azure Log Analytics
Azure Log Analytics, a feature of Azure Monitor, is your central hub for collecting, analysing and acting on log data from various sources, including your VBAZ instances. It provides a powerful query language (Kusto Query Language - KQL) to slice and dice your data, create custom dashboards, and set up alerts.
Setting up Veeam Backup for Azure Log Monitoring
Here’s a step-by-step guide to configure VBAZ log monitoring with Azure Log Analytics:
Create a Log Analytics Workspace:
-
Go to the Azure portal and search "Log Analytics workspaces."
-
Click Create and provide the necessary details, such as resource group and region (the region should be the same as your VBAZ instance).
Create a Data Collection Endpoint:
-
Go to Azure Monitor and select Data Collection Endpoints.
-
Click Create and select the same resource group and region as your Log Analytics workspace.
Configure Custom Log Collection:
-
In your Log Analytics workspace, navigate to Tables and click Create > New custom log (DCR-based).
-
Create a new Data collection rule (DCR) and give it a name, e.g vbazlogs_CL (see note below)
-
Select the Data Collection Endpoint you created above and click next
- Provide a sample log file. You can use this GitHub Gist as an example, click next
- Review and create
Reference on JSON format: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-portal-1%2Cazure-portal-2%2Cazure-portal-3
So that you know, we will need to replace this rule later. It is a quirk of the process, and you cannot pre-create the Data Collection Rule without specifying a Data Source, which is this custom table we are creating here.
Create a Data Collection Rule:
-
Go to Data Collection Rules (above Data Collection Endpoints) in Azure Monitor and find the Data collection rule you created above.
-
Go to Data sources and click Add.
-
Add data source:
-
Under Data source type, select Custom Text Logs.
-
Under File pattern, enter /var/log/veeam/*.log
-
Under Table name, provide the name you gave the table earlier (e.g., vbazlogs_CL).
-
Leave the rest as defaults.
-
In the Transform box add the following:
-
source | parse RawData with "[" EventTime:string "]" RemainingText:string | extend TimeGenerated = todatetime(EventTime) | extend Parts = split(RemainingText, ") ") | extend Message = trim_start(" ", Parts[1]) | project TimeGenerated, MessageNOTE: This KQL expression takes the raw log input and parses it into the correct format for the table. There is more you can do with transforms, including reducing the amount of data being passed to Log Analytics, but that is beyond the scope of this post.
- Click Next: Destinations
-
Click Add destination (see note above)
-
Select:
-
Destination type: Azure Monitor Logs
-
Subscription: Select relative subscription
-
Destination Details: Select the Logs Analytics Instance you created earlier
-
-
Click Add data source.
-
Click on Resources under Data sources
-
Add the VBZ VM and press apply.
-
Confirm the Azure Monitor Agent is installed
- Got to the VBAZ VM and click on Extensions + applications
- Check if the AzureMonitorLinuxAgent is showing
View the logs
Note that log data can take time to start coming through.
- In Log Analytics go to Logs.
- Change the scope to the Log Analytics workspace you created
- Enter the name of the table you created and click Run
You should see the logs in the Results box below. You can parse and display the results in various ways using the KQL language.
Example:
vbazlogs_CL
| where Message has "Authentication failed. Invalid username or password" and Message startswith "Error"
| extend ErrorMessage = extract("Authentication.*", 0, Message)
| project TimeGenerated, ErrorMessage
This would search for all failed login attempts. Of course, there are many different ways to do this and other things that can be searched for.
This could be tied into an Azure alert or turned into a Sentinel incident, but I will leave that to a follow-up post.
Before I go, I should also mention that Azure Monitor integrates with Azure Arc, which means you can bring in external resources similarly. What does that mean exactly? Well, it means that you could, in theory, bring in logs from Veeam Backup for AWS or Veeam Backup for GCP. However, that might be a good topic for another follow-up post.
I hope you have enjoyed reading, if you have any comments, let me know.
Ed Howard
