I have been running a POC for SIEM event log forwarding.
I have put a bunch of exclusions in place using the filters to restrict the amount of data being shipped to the SIEM.
I have found that I am receiving events for replica jobs Starting, Stopping and Completed.
In the SIEM logs I can see the origin enterpriseid=31023, when I try to add this to the filter it says the event isn't found.
Upon investigating the VBR server logs I can see that in the event log these events show with an eventide of 0 (Completed),1 (Started) & 2 (Stopped).
When I try to put those events into the filter they also aren't recognised as valid events.
Has anybody else come across this?
-
MarkBoothmaa
- Veeam Legend
- Posts: 218
- Liked: 67 times
- Joined: Mar 22, 2017 11:10 am
- Full Name: Mark Boothman
- Location: Darlington, United Kingdom
- Contact:
-
sherzig
- Veeam Software
- Posts: 211
- Liked: 48 times
- Joined: Dec 05, 2018 2:44 pm
- Contact:
Re: Possible BUG - Veeam Event Logs
Hi @MarkBoothmaa ,
for Syslog messages, the InstanceID is relevant for filtering (in Windows Event Log the Event ID). All Events are documented in the Events Reference: https://helpcenter.veeam.com/docs/backu ... _list.html.
A job start has the ID 110, and a job end has the ID 190. Further events are generated during a replication job.
Important: Backup jobs generate the same start and stop IDs when executed, so pay attention to this when filtering.
Cheers,
Steve
for Syslog messages, the InstanceID is relevant for filtering (in Windows Event Log the Event ID). All Events are documented in the Events Reference: https://helpcenter.veeam.com/docs/backu ... _list.html.
A job start has the ID 110, and a job end has the ID 190. Further events are generated during a replication job.
Important: Backup jobs generate the same start and stop IDs when executed, so pay attention to this when filtering.
Cheers,
Steve
Who is online
Users browsing this forum: Amazon [Bot], Semrush [Bot] and 89 guests