Feature request: Syslog message for backup deletion

[gwyn]

Hello,

based on the support request we have raised in the past (Case #07278696), I would like to request a feature for VBR Syslog messages as per out customers request.

Syslog does not currently send a message whenever a backup is deleted either from Disk, Disk (Copy), Capacity Tier and probably any other backup targets.

For the reference, I am talking about backed up data. Not backup jobs.



Thank you.

[Mildur]

Hello gwyn,

There should already be an event logged to Syslog. Do you see different behavior?
--> https://helpcenter.veeam.com/docs/backu ... ml?ver=120

We also have an event in case a user has insufficient permission to delete backups:
--> https://helpcenter.veeam.com/docs/backu ... ml?ver=120

Additionally, consider to enable Four-Eyes Authorization as an additional challenge for deleting backups.
Please note, Four-Eyes Authorization is not an alternative for immutable or air-gapped backup storage. You still need such backup targets to protect your backups against unwanted deletion.

Best regards,
Fabian

PS: We run a test in our lab. Deleted a backup from disk and we got this event logged in syslog for every single restore point in that backup:

[gwyn]

Hello,

thank you for the test. I was sure yesterday it did not receive any notification. Sorry about that. However today, I can confirm the event is displayed.

However, I have a message saying "Restore point for VM 'TESTVM01' has been remove by user SYSTEM.". Yours display specific user that performed the delete.



Any idea why?

Thank you

[Mildur]

Hi gwyn

"SYSTEM" means the retention policy (job session or background retention job) removed a restore point.

Best,
Fabian

[gwyn]

But I was the one who deleted it. That why it should display my username.

[C Y R I L]

Hello,

I’m following up on this topic after opening a support ticket with Veeam (#07821896).

@gwyn: In your screenshot, we can see that the restore point is encrypted.

We identified that the issue occurs only when deleting encrypted restore points:
- For non-encrypted jobs, the deletion correctly generates a Windows event (event ID 10050 “Restore Point Deleted”), which is then forwarded to the Syslog server.
- For encrypted jobs, no entry is created in the Windows Event Log, so no Syslog message is generated.

This seems inconsistent because:
- The documentation for event 10050 makes no distinction between encrypted and non-encrypted restore points:
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
- When creating a restore point (event ID 10010), the event is generated for both encrypted and non-encrypted restore points:
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

So we would expect to receive a Syslog message for all deletions, regardless of the restore point type.
And I would argue that tracing a deletion is even more critical than a creation, from an auditing and traceability perspective.

Could you please confirm whether this is a bug or a current limitation?

Thank you,
Have a good day.