Comprehensive data protection for all workloads
Post Reply
pirx
Veteran
Posts: 650
Liked: 98 times
Joined: Dec 20, 2015 6:24 pm
Contact:

Restore point for VM 'xxxx' has been removed.

Post by pirx »

Case 06168298

I thought this would be an easy one as I just needed confirmation which (background) task is responsible for Windows event log entries like "Restore point for VM 'xxxxx4' has been removed.". I know that this is logged when retention is applied and I see a lot of those entries when jobs are running. But there also entries that don't match any job, there was no job running at the time the event was loggend.

The event logs are forwarded to a SIEM system and the SIEM team now creates rules for alerting, for example when backups are deleted. And they need to find rules how to exclude known events. In this case there is currently nothing that correlates so it would trigger an alarm.
HannesK
Product Manager
Posts: 15594
Liked: 3442 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Restore point for VM 'xxxx' has been removed.

Post by HannesK »

Hello,
that sounds like background retention which exists to apply retention for example if a job was deleted.

https://helpcenter.veeam.com/docs/backu ... ml?ver=120 - do you see it around 00:30 or was that time maybe adjusted?

Best regards,
Hannes
pirx
Veteran
Posts: 650
Liked: 98 times
Joined: Dec 20, 2015 6:24 pm
Contact:

Re: Restore point for VM 'xxxx' has been removed.

Post by pirx »

We are still on v11, IIRC it background retention does not exist there. The times are different, in the example on the case it was around 10:10 CET.
HannesK
Product Manager
Posts: 15594
Liked: 3442 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Restore point for VM 'xxxx' has been removed.

Post by HannesK »

for V11, background retention only exists for GFS restore points.

I assume it's best to continue with support to find out what deletes the restore points. As it's a Veeam event in the event log, they should find something. At least I'm out of guesses :-)
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], Baidu [Spider], Google [Bot], Semrush [Bot] and 40 guests