Veeam v12.1 – Integration with SIEM Systems

Veeam revealed the new features that will be available with the next release of VBR v12.1. With these new releases, Veeam further extends the feature set available in these products with a focus on Security & Compliance general improvements. Here’s blog post about SIEM integration.

Veeam Availability Suite 12.1

Next release of Veeam Backup & Replication v12.1 (currently version 12) will provide the following new features and enhancements. Security features list:

    Security & Compliance: Malware detection

  • Security & Compliance Dashboard
  • Inline detection (encryption & ransom notes)
  • In-guest detection via guest-index
  • YARA rules support
  • Automated scans via SureBackup
  • On-Demand scans
  • Malware events & false positives
  • Incident API
  • How to test features above


    Security & Compliance: General

  • Key management systems support (KMIP)
  • Four Eyes approval
  • SIEM integration (syslog support)
  • Security & Compliance analyzer
  • Removed “Files” Tab For Non-Admin Users
  • Warning on short encryption passwords


Better Integration With SIEM Systems:

Integrating Veeam with SIEM (Security Information and Event Management) systems using RFC 5424 is a way to enhance the security monitoring and event management capabilities of your Veeam environment. RFC 5424 is a standard that defines the syslog message format, which is commonly used for log and event data. To integrate Veeam with SIEM systems using RFC 5424, you’ll typically need to configure Veeam to send log and event data in the RFC 5424 format to your SIEM system. Here are the general steps involved:

    1. Configure Veeam: In your Veeam backup and replication software, you’ll need to configure the logging settings to send data in the RFC 5424 format. This may involve specifying the SIEM system’s IP address or hostname, port, and the protocol (typically UDP or TCP) to be used for sending logs.

    2. Configure the SIEM System: On your SIEM system, you’ll need to create a data source or a collector for Veeam logs. You’ll specify the same IP address or hostname and port that you configured in Veeam to establish communication.

    3. Define Log Event Types: In both Veeam and the SIEM system, you should define how different log event types will be handled. This may include setting up filters, parsing rules, and alerting criteria based on the incoming logs.

    4. Test and Monitor: After configuration, it’s essential to test the integration to ensure that log data is being transmitted correctly to the SIEM system. Regularly monitor the integration to detect and respond to security events and anomalies.


Keep in mind that the exact steps and configurations may vary depending on your specific SIEM system and Veeam version. It’s also crucial to follow best practices for security and data privacy when transmitting log and event data to a SIEM system.


RFC 5424 (not RFC 3164):

    — Transport modes: UDP, TCP, TLS,
    — Limitation: maximum one syslog server in 12.1.


Veeam Availability Suite 12.1

Example output:

Veeam Availability Suite 12.1

How syslog integration works:

    — RFC 5424 compliant push notification.

Veeam Availability Suite 12.1

Veeam Availability Suite 12.1


RFC 5424 is a standard specification that defines the syslog protocol message format. The syslog protocol is used for transmitting log and event messages within a network or between networked devices. RFC 5424 updates and extends the original syslog protocol defined in RFC 3164.

Key features of RFC 5424 include:

    1. Structured Data: RFC 5424 introduces structured data elements that allow log messages to include structured, name-value pairs. This enhances the ability to convey information in a more machine-readable and standardized format.
    2. Header and Message Components: The standard defines various header and message components, such as the facility, severity level, timestamp, hostname, and app-name, which provide context for log messages.
    3. Enhanced Message Format: It specifies a more flexible and extensible message format, enabling the inclusion of various information about the log event, the source, and the message itself.
    4. Transport Protocols: RFC 5424 does not mandate a specific transport protocol. It can be used over both UDP (User Datagram Protocol) and TCP (Transmission Control Protocol), depending on the requirements of the implementation.
    5. Compatibility: RFC 5424 aims to be compatible with RFC 3164, ensuring that systems adhering to both standards can interoperate.
    6. Security Considerations: The standard includes considerations for security, like message integrity and confidentiality, and recommends the use of Transport Layer Security (TLS) for secure communication.


In summary, RFC 5424 standardizes the format and structure of log and event messages, making them more machine-readable and flexible. This is particularly useful for log management, event correlation, and monitoring systems, including SIEM (Security Information and Event Management) systems, to process and analyze log data in a consistent manner.


Veeam v12.1 – Object Storage as backup target: Blog Post
Veeam v12.1 KMS Support: Blog Post
Veeam v12.1 Malware Detection and YARA: Blog Post
Wasabi Object Storage new features: Blog Post
VUG Fr Day in Monaco Recap
Detection & Response to Ransomware with Veeam: Blog Post
Offline versus Immutable Backups: Blog Post
Cuba ransomware and Veeam CVE-2023-27532: Blog Post
Akira ransomware infection routine: Blog Post
2023 Ransomware Trends Report
Play ransomware infection routine: Blog Post
New Veeam v12 Platform Overview: Blog Post
Veeam v12 Linux Without SSH And SUDO: Blog PostHardened Repository in Veeam v12: Blog Post
Wasabi Object Storage Usage with Veeam B&R v12: Blog Post
VeeaMover in v12: Blog Post
Ransomware & Cybersecurity with Veeam v12: Blog Post
Why backup directly to Object Storage? Blog Post
Veeam B&R v12 New Features Overview: Blog Post
[REPLAY] Webinar Veeam v12 and Wasabi: Replay
Protect your data with Veeam and Wasabi: Blog post
Wasabi – Object Lock feature spotlight: Blog post
Veeam and the S3-compatible object storage solutions: Blog Post
[PODCAST] VeeamUser Group France #1: Record
Conti initiates their attacks on Backup: Blog Post
Backup with Trusted Repository Storage: Blog Post.
Protect your Backup against Ransomware: Blog Post

Please follow and like us:

Enjoy this blog? Please spread the word :)