Note: The description in the article is based on Veeam ONE 12.1.
Introduction to Veeam ONE
The Veeam company is best known for its product Veeam Backup & Replication. But for a very long time (Build Numbers and Versions of Veeam ONE), it has also had the Veeam ONE tool for monitoring virtual environments and data protection (backup) environments using Veeam Backup & Replication.
Note: There is also a Veeam ONE Community Edition which is provided for free. It includes 10 instances (backed up objects) and limited functionality for monitoring virtual environments with unlimited number of VMs (License Types and Packages). This free tool provides many useful features.
Documentation
What is Veeam ONE
Veeam ONE is a solution for monitoring virtual environments and data protection environments. It enables monitoring, analysis, reporting, and capacity planning. It continuously collects, analyzes, and visually represents information about objects in our infrastructure.
The current version contains more than 340 pre-configured alarms and 150 pre-built reports.
- Alarms can be customized and notification settings configured. They contain advice (Knowledge Base) for resolving problems. We can set up remedial actions that automatically perform certain operations.
- Reports provide information from many areas of backup and VMware and Hyper-V infrastructure. They also include capacity planning, chargeback and billing, compliance monitoring, and change tracking and auditing.
Business View allows us to categorize objects (workloads) into groups based on various parameters. Veeam ONE includes a job calendar on the backup server, which clearly shows when backups are running and how they are interconnected.
In the latest versions of Veeam ONE, it also detects anomalies that could indicate a ransomware attack. It includes a new Veeam Threat Center dashboard (in the web client).
Integration and Support for
Veeam ONE enables monitoring and reporting for
- Veeam Backup & Replication (from version 10a)
- Veeam Backup for Microsoft 365 (from version 7)
- VMware vSphere (vCenter Server 6.x to 8.0, ESXi 6.x to 8.0, VMware Cloud on AWS)
- Microsoft Hyper-V (SCVMM Server 2012 SP1 to 2022, Hyper-V host 2012 to 2022, Failover cluster)
- VMware Cloud Director (version 10.1 to 10.5)
It also includes support for
- Veeam Backup for Public Clouds (Microsoft Azure, Amazon Web Services, and Google Cloud)
- Veeam Backup for Nutanix AHV, Veeam Backup for Red Hat Virtualization, Veeam Backup for Oracle Linux KVM
- Veeam Agent (Windows, Linux, Mac, IBM AIX, Oracle Solaris)
- NAS Backup (Fileshare)
Licensing
- Veeam Data Platform Packaging
- Veeam Data Platform Feature Comparison
- Licensing Veeam ONE
- Veeam Universal License (VUL)
- Veeam Licensing Policy
Veeam now sells packages called Veeam Data Platform, which contain certain features based on the included products.
- Foundation - Veeam Backup & Replication
- Advanced - Veeam Backup & Replication, Veeam ONE
- Premium - Veeam Backup & Replication, Veeam ONE, Veeam Recovery Orchestrator
For these, the portable Veeam Universal License (VUL) is used (primarily) on a subscription basis. We license each instance (instance) or workload.
One VUL license can cover:
- 1 virtual machine (VM)?
- 1 cloud instance/VM?
- 1 physical server
- 1 database or application
- 3 workstations (endpoints)
- 500 GB of unstructured data (NAS/File share)
Note: CPU Socket-based licenses were discontinued in 2023. The documentation License Types and Packages also describes Per socket licenses, which can apparently no longer be purchased. Another option is to rent through VCSP.
In the case of Veeam ONE, an instance is assigned to each managed object. A backed up VM on a monitored Veeam Backup & Replication server and the same monitored VM within the virtual infrastructure consume one instance.
Note: I think it's quite a common situation where we only back up (protect) a part of the infrastructure. But we would like to monitor the entire virtual infrastructure. If we purchase VUL licenses for the Veeam Data Platform Advanced for the backed-up VMs and other objects, they will not cover all the VMs for monitoring. To be in compliance with the license, we need to limit the scope of monitoring in Veeam ONE. From the documentation, I didn't understand that it would be possible to purchase additional licenses only for Veeam ONE, but I haven't researched it further yet.
Architecture and Components
Note: The entire architecture and installation are described in detail in the official documentation. The description in this article contains a summary of the key points and practical experience.
Control using Clients
Two clients with a shared configuration are used to work with Veeam ONE:
- Veeam ONE Client - the primary tool (application) for monitoring the virtual environment and data protection (backup), allows you to manage Veeam ONE settings, view components of the virtual and backup infrastructure (performance, efficiency), work with alarms and monitoring data, is installed along with the server, can be installed separately on a workstation
- Veeam ONE Web Client - a web console that provides a set of dashboards and reports, which allow you to verify configuration issues, optimize resources, track changes, plan capacity, etc.
Veeam ONE Components
- Veeam ONE Server - the core component that collects data and stores it in the database
- Veeam ONE Web Services - enables web access and generates reports
- Veeam ONE Client - allows access to the Veeam ONE Server, locally or remotely
- Veeam ONE Database - database on Microsoft SQL Server, locally or remotely
- Veeam ONE Agent - enables communication with the Veeam Backup & Replication server, it is recommended to install the agent on the Veeam Backup & Replication server
Deployment and Installation
Deployment
For deploying Veeam ONE in a small or medium-sized environment, we install all components on a single virtual or physical server with a Windows OS. This is called an All-in-One Deployment. In this case, we can also use a remote Microsoft SQL Server and install the Veeam ONE Client on administrators' computers.
Requirements and Prerequisites
The official documentation lists the system requirements (System Requirements) and supported platforms (Supported Virtualization Platforms). The server for All-in-One Deployment requires at least 4 CPU cores and 8 GB of RAM. It supports 64-bit Windows 10/11, Windows Server 2012 to 2022.
Veeam ONE requires various Microsoft components (such as Microsoft .NET Framework or Microsoft XML 6.0 Parser and SDK), but these are automatically installed during the installation.
Just like in the case of Veeam Backup & Replication, to be able to connect the SCVMM (System Center Virtual Machine Manager) server to Veeam ONE, we must install the Virtual Machine Manager Console. The version must exactly match the one on the SCVMM server.
Ports and Communication
A detailed overview is provided in the documentation Ports. The basic connection is to the Veeam ONE Server, where the following is used:
- Veeam ONE Client - TCP port 139, 445, UDP port 137
- Veeam ONE Web Client (web browser) - default TCP port 1239, HTTPS communication to Veeam ONE Web Services, e.g.,
https://veeamone.company.com:1239/
Permissions and Accounts
For Veeam ONE to function correctly and access the virtualization and Veeam Backup & Replication servers, it requires sufficient permissions. A detailed description is in the documentation Permissions.
During the installation, we must enter a domain account, under which the services on the server will run, that is, a service account. It is advisable to create a special account for Veeam ONE, a Domain Users group is sufficient. On the Veeam ONE server, the account must have local administrator permissions.
During the installation of Veeam ONE, the local groups Veeam ONE Administrators, Veeam ONE Power Users, and Veeam ONE Read-Only Users are created on the server. The user under whom the installation is taking place and the service account for the services are automatically included in the administrators. Every user who needs to access Veeam ONE functions (using the Veeam ONE Client or Web Client) must be added to one of the groups. Additionally, they must have the Allow log on locally
permission, which local administrators have by default.
Similar to Veeam Backup & Replication, the Veeam ONE has a Credentials Manager in the main menu. Here we can create and manage login credentials (Credentials) for connecting to components in the virtual and backup infrastructure.
I'm considering that we're trying to secure the backup infrastructure as much as possible. We perform Hardening on the Veeam Backup & Replication server. So that an attacker cannot steal the backups, which usually contain the most important data of the company. Or encrypt them with ransomware. I haven't come across recommendations for securing Veeam ONE yet. However, there are accesses and stored accounts to the backup infrastructure.
Server Certificate
During the installation, a self-signed certificate can be generated. If we want to use our own TLS certificate, maybe from an internal CA, we need to issue it in advance to the local computer certificate store. During the installation, we just select it.
Installation Files
We can download from My Veeam - Products, where the installation files are located according to our license. It can be Veeam Data Platform Advanced, where the currently downloaded file is VeeamDataPlatformAdvanced_v12.1_20240228.zip
. It contains the ISO for Veeam Backup & Replication VeeamBackup&Replication_12.1.1.56_20240220.iso
and for Veeam ONE VeeamONE_12.1.0.3208_20231130.iso
with a size of 2.5 GB.
The Release History for Veeam ONE 12.1 might also be useful.
Veeam ONE Database
Part of the Veeam ONE installation is Microsoft SQL Server 2017 Express Edition. We can use this database for free, but in practice we will probably encounter the 10 GB size limit. To estimate the database size for a specific environment, we can use the Veeam ONE Database Estimator calculator.
For production use, it is recommended to use the Standard or higher edition on a dedicated server. Microsoft SQL Server versions from 2012 to 2022 are supported.
All-in-one Installation with Separate SQL Server
- mount the installation ISO
- run
setup.exe
- select Install and Install Veeam ONE
- accept the license terms
- in the license settings, we can load the license file or sign in with a Veeam account, we can choose Update license automatically
- enter the prepared service account
- a system configuration check is performed, and any missing components are automatically enabled
- the configuration with which the installation will be performed is displayed, click Install
- if we want to use a custom SQL server or set up a certificate, we click on Customize Settings
- let all components be installed
- if we want to use an existing SQL Server, we choose Use existing instance of SQL Server
- search for or enter the server name (do not specify the default instance)
- we can modify the database name that will be created during the installation
- specify the login credentials to be used to access SQL, the easiest is to use the service account under which the service runs, but we need to set the required permissions for it (Connection to Microsoft SQL Server)
- higher permissions are required for the installation, which we can later remove or create the DB in advance using a script if the account does not have sufficient permissions, otherwise an error
Failed to connect to SQL Server
is displayed
- we can leave the default data location paths
- if we want to monitor Veeam backup and virtual infrastructure performance, we use Veeam backup data and virtual infrastructure performance monitoring
- we can leave the default ports for the individual components, if we have prepared our own certificate, we select it
- the configuration summary is displayed again, click Install to start the installation
- the installation goes through 4 steps (installation of individual components) and in a few minutes it should display Successfully installed
- when we click Finish, a dialog appears asking if we want to log out, as a new login is required for our account to be added to the new group that grants Veeam ONE login permissions
Note: If we encounter problems during the installation, the installation log can be helpful. For example, C:\ProgramData\Veeam\Setup\Temp\VeeamONE_06_05_2024_10_37_06.log
Basic Configuration and Adding Servers
Configuring Notifications
When we first run the Veeam ONE Client, the Notification Settings wizard appears. We can always open it again from the main menu under Notifications or Settings - Server Settings. We can set up email notifications, SNMP, Syslog, ServiceNow.
Note: When we set up email notifications right at the beginning, we will probably start receiving a lot of messages after connecting the infrastructure. It is necessary to first adjust the settings and threshold values.
Connecting Veeam Backup & Replication Infrastructure
We can connect either a standalone Veeam Backup & Replication server or a Veeam Backup Enterprise Manager to oversee all the servers it manages.
- in the main menu, select Add Server - Veeam Backup & Replication
- (if we don't have any server connected, the Veeam Backup & Replication view has an Add Backup Server button)
- enter the server address, its role, it is recommended to leave the agent to be installed on the Veeam Backup & Replication server, we can enable Veeam ONE dashboard integration into the Veeam Backup & Replication Console 12.1 (the Analytics view will be added)
- we must select / add the login credentials (Credentials) for connecting to the server
- complete the wizard by clicking Finish, the server will connect and the configuration and performance data of the backup server and infrastructure components will start synchronizing, all historical data stored on the server will be imported, the process typically takes tens of minutes
Account for Connection
The login credentials that we enter during the server connection are important. They will be used to connect to the backup server and all managed servers in the backup infrastructure (such as proxy, repository, etc.).
The permissions required for this account are listed in Connection to Veeam Backup & Replication Servers. It must have the Veeam Backup Administrator role, in some cases local administrator permissions on the server, WMI access and network permissions (Configuring Permissions to Remotely Access WMI). The account must not have MFA enabled for connection to Veeam Backup & Replication.
According to the recommendation, a Firewall is running on the Veeam Backup & Replication server, which can block WMI. On the Windows Firewall, we must allow Remote Event Log Management (see instructions in Preconfigure a Machine to Collect Remote Windows Events).
Different Account for Selected Components
In practice, we often encounter a situation where we use different accounts on various components. Connection to these components will fail and Veeam ONE will display an error. On these components, we need to set the correct account.
- right-click on the component and select Connection Settings
- choose Use custom credentials and select / add the login credentials (Credentials)
Connecting VMware vSphere Infrastructure
We can connect a vCenter Server or a standalone ESXi server.
- in the main menu, select Add Server - VMware vSphere
- (if we don't have any server connected, the Virtual Infrastructure view has an Add Server button)
- enter the server address and its role
- we must select / add the login credentials (Credentials) to connect to the server, we can also change the port
- Veeam ONE stores the TLS certificate thumbprint, if the certificate is not trusted, we must confirm it
- complete the wizard by clicking Finish, the server will connect and data collection will begin
The account we use to connect to vCenter and ESXi servers must have sufficient permissions. The list is provided in the Connection to Virtualization Servers.
Guest OS Credentials
Veeam ONE uses Guest OS Credentials to collect data from and control the hosted Windows OS (VMs). We can set the default login credentials in the main menu - Settings - Server Settings - Guest OS Credentials. Or we can specify an account on the VMware infrastructure elements (right-click, choose Guest OS Credentials). If we don't provide the credentials, the ones used for the VMware connection will be used.
Connecting Microsoft Hyper-V Infrastructure
We can connect an SCVMM Server, a Failover cluster, or a standalone Hyper-V server. If we want to connect an SCVMM server, the Veeam ONE server must have the SCVMM Admin Console installed (otherwise, an error will be displayed that the console is missing).
- in the main menu, choose Add Server - Microsoft Hyper-V
- (if we don't have any server connected, the Virtual Infrastructure view has an Add Server button)
- enter the server address and its role
- we must select / add login credentials (Credentials) to connect to the server, or change the port
- complete the wizard by clicking Finish, the server will connect, and data collection will begin
The account we use to connect to Hyper-V servers must have sufficient permissions. The list is provided in the Connection to Virtualization Servers.
Just like for VMware, Guest OS Credentials are used. When adding the first server, the Server Settings configuration will automatically open.
Selecting Objects to Monitor and Report On
When we connect a virtualization server, Veeam ONE will automatically start collecting data about all VMs and VM containers (hosts, clusters, datastores, etc.). Each such VM will consume 1 license (instance). If we don't have a license for all VMs in the infrastructure, we must set rules for including or excluding VMs from the data collection scope. We can also use this to monitor only selected VMs.
Veeam ONE includes a default rule for including all VMs and VM containers on the connected servers (VM monitoring inclusion rule). This can (must) be deactivated.
Note: Veeam ONE apparently has a limitation that allows adding twice as many VMs to monitoring as the license covers (at this point, however, we are exceeding the license). If we have more VMs in the infrastructure, it will create an Automatic exclusion rule, which we cannot turn off and which contains a list of VMs that are excluded.
Configuration is done
- in the main menu, choose Settings - Server Settings
- switch to the Monitored VMs tab
- here we can manage existing and create new Inclusion rules and Exclusion rules
Creating a Rule
- click on Create New
- enter a name and an optional description
- define the scope of the infrastructure to which the rule should apply (Apply Rule to), selecting containers (including subordinate objects) either from the Infrastructure View, Business View, or VMware Cloud Director View
- choose the VM selection criteria (VM Selection)
- By infrastructure location - will include all VMs from the hierarchy defined in the previous step
- By object name - will allow defining conditions (Conditions) on the VM name for inclusion in the rule (we can use wildcard characters
*
and?
)
Monitoring Only Backed-up VMs
If we have licenses bought for the purpose of backup, and they don't cover all VMs, we can set a rule to monitor only the backed-up VMs. We can use the Business View for this, where under Virtual Machines and the platform, there is a container (category) called Last Backup Date. There may be a No backup group and then others containing backed-up VMs based on the last backup date.
We can therefore create a VM monitoring inclusion rule where in the
- Apply Rule to we add the path Virtual Machines - vSphere/Hyper-V - Last Backup Date - Within the last 24 hours from the Business View
- for VM Selection, we choose By infrastructure location
Note: We can create and edit the categories in the Business View. We can view the rule / expression used for grouping. Right-click on the category and choose Edit Category.
Škoda, že nelze použít PostgeSQL namísto MS SQL, tak jako tomu je u VBR :-(