Where to find Security & Compliance Analyzer results in Windows Event Log?

[matsusan]

The documentation for the Security & Compliance Analyzer states that results are written to the Windows Event Log.
(https://helpcenter.veeam.com/docs/vbr/u ... tml?ver=13)

However, I can't find these logs. I have already checked the "Veeam Backup", "Veeam Security", "Application" and "System" event log source without success.

Could you please clarify:

• Which specific Event Log contains the analyzer results?

• Are there any specific Event IDs for these scan results?

• What information is included in the log entries (e.g., a summary or detailed results)?

Thanks,
Ryoma

[david.domask]

Hi Ryoma,

Check the VeeamBackup event log under Application and Services Logs in event viewer, it will post with Event Id 41600.

Here's an example of an event (replaced server names with generic entries):

Code: Select all

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
		<Provider Name="Veeam MP"/>
		<EventID Qualifiers="0">41600</EventID>
		<Version>0</Version>
		<Level>3</Level>
		<Task>0</Task>
		<Opcode>0</Opcode>
		<Keywords>0x80000000000000</Keywords>
		<TimeCreated SystemTime="2026-05-14T20:05:21.1823719Z"/>
		<EventRecordID>287036</EventRecordID>
		<Correlation/>
		<Execution ProcessID="3460" ThreadID="0"/>
		<Channel>Veeam Backup</Channel>
		<Computer>{BACKUP SERVER}</Computer>
		<Security/>
	</System>
- <EventData>
		<Data>05/14/2026 20:02:24</Data>
		<Data>7509ce0c-8e75-487b-8c99-19b1c6e6920d</Data>
		<Data>RansomwareExtensions</Data>
		<Data>SYSTEM</Data>
		<Data>
			<ModifiedUserInfo fullName="SYSTEM" loginType="4"/>
		</Data>
		<Data>SOME VM</Data>
		<Data>05/14/2026 20:05:21</Data>
		<Data/>
		<Data/>
		<Data/>
		<Data/>
		<Data/>
		<Data/>
		<Data/>
		<Data/>
		<Data/>
		<Data>{BACKUP SERVER}</Data>
		<Data>13.0.1.2067</Data>
		<Data>1</Data>
		<Data>Locations of suspicious files can be found on the backup server at C:\ProgramData\Veeam\Backup\Malware_Detection_Logs\suspicious_files_26-05-14.log Potential malware activity detected: *-decrypt.txt: 1 for OIB: 7509ce0c-8e75-487b-8c99-19b1c6e6920d (SOME VM), rule: Known malware extension by user: SYSTEM.</Data>
	</EventData>
</Event>

[matsusan]

Hi Domask,

Thank you for your prompt reply, as always.
I will check the information you provided.

Best regards,
Ryoma

[matsusan]

Hi Domask,

I checked the event log and indeed found the event with ID 41600. Thank you!

However, I have one additional question.
The guide states:
"All scan sessions are also written by Veeam Backup & Replication to Microsoft Windows Event Log."

Based on this, is my understanding correct that an event log is generated for every scan session, even when no malware is detected?

Thanks,
Ryoma

[rin]

Hi,
I hope you don’t mind me jumping into this thread.

I’m also interested in this topic and have been trying to find the same information.
If anyone from Veeam could provide guidance on where the Security & Compliance Analyzer results are stored in the Windows Event Log (or if they are available elsewhere), it would be greatly appreciated.

Just wanted to kindly follow up on this discussion.

Thanks,
Rin

[david.domask]

"All scan sessions are also written by Veeam Backup & Replication to Microsoft Windows Event Log."

Based on this, is my understanding correct that an event log is generated for every scan session, even when no malware is detected?

Glad you were able to locate them; for your question, I believe we need to update the text in the User Guide as my understanding is that only sessions that find potential malware activity are logged, I will work to have the User Guide updated.

@rin

If anyone from Veeam could provide guidance on where the Security & Compliance Analyzer results are stored in the Windows Event Log (or if they are available elsewhere), it would be greatly appreciated.

Please see my earlier post, Event ID 41600 is what you want. You can find all of our Event IDs in this section of the User Guide.