Configuring Syslog Collectors

Veeam App for Palo Alto Networks XSIAM receives data from Veeam Backup & Replication or Veeam ONE through syslog collectors added to Palo Alto Networks Broker virtual machines. For more information about broker VMs, see this section in the Cortex XSIAM documentation.

To add a syslog collector, do the following:

In the main menu, click Settings > Configurations.
On the Data Broker > Broker VMs > Brokers tab, select a broker virtual machine. In the Apps column, click Add and select Syslog Collector.
In the New Syslog Data Source window, specify the following settings:

Protocol — Transport protocol used by the syslog server. Default values are TCP, UDP or TLS.
Port — Port number used by the syslog server. Default values are 514 (for TCP and UDP) and 6514 (for TLS).
Source Network — IPv4 address or subnet of the syslog server.
Format — The format of syslog messages. To display the data correctly, select RAW.
Vendor — The name of the product vendor. To display the data correctly, specify Veeam.
Product — The name of the product you want to get data from. For example, VBR.

Click Done.

After you add a syslog collector, the dataset is created. The name of the dataset includes values of the Vendor, Product, and Format settings.. For example, veeam_vbr_raw. If you use correlation rules, specify the name of the dataset in the correlation rule query. For more details, see Configuring Correlations.

Important

To display data correctly, consider the following:

Make sure that you specify the Veeam value in the Vendor field and use the RAW format.
The format of syslog messages sent to Veeam App for Palo Alto Networks XSIAM must be the same as on Veeam Backup & Replication and Veeam ONE. For more information, see Specifying Syslog Servers in the Veeam Backup & Replication User Guide and Syslog Integration in the Veeam ONE Monitoring Guide.