I get "Suspicious incremental backup size" alerts most nights. If I'm using the "Veeam restore point utility" below correctly, it seems that I get alerts for small differences that meet the percent change threshold, but are not big enough for me to care about. For example, if a server has a 100MB most nights, but then a night with a 200 MB incremental, I get an alert because the size is 200% the normal size, but I don't care about since it's only 100 MB different.
There is an option to change Detection Type from "Relative" to "Absolute", but this alerts for any incremental size exceeding the amount, say 5 GB. Is there a way to configure a fixed amount relative to the normal for the VM? For example, if an incremental backup is 5 GB more or less than the previous incremental backup for that VM, to send the alert? This would filter out small changes I don't care about.
References:
https://www.veeam.com/blog/big-incremental-backup.html (example usage)
https://github.com/VeeamHub/veeam-restore-point-utility (application)
-
- Enthusiast
- Posts: 39
- Liked: 5 times
- Joined: Oct 28, 2019 6:02 pm
- Contact:
-
- Veeam Software
- Posts: 745
- Liked: 191 times
- Joined: Nov 01, 2016 11:26 am
- Contact:
Re: Suspicious incremental backup size - exceptions for absolute size difference?
Hello ValiantMartian,
Currently, there is no way to configure a fixed amount relative to the normal.
In your case, I would suggest creating custom alarms:
relative < 100%
relative > 100%
absolute < 5 GB
absolute > 5 GB
Then utilize Job name or Exclude jobs filters to sort the jobs between these alarms. Also please keep in mind that there is no need to assign the alarms to the whole infrastructure. You may specify a dedicated VBR server for the alarms above.
Having that, small 200 MB increments should never trigger for > 100% because of exclusion but will trigger for an absolute > 5GB. Would it work in your case?
Thanks
Currently, there is no way to configure a fixed amount relative to the normal.
In your case, I would suggest creating custom alarms:
relative < 100%
relative > 100%
absolute < 5 GB
absolute > 5 GB
Then utilize Job name or Exclude jobs filters to sort the jobs between these alarms. Also please keep in mind that there is no need to assign the alarms to the whole infrastructure. You may specify a dedicated VBR server for the alarms above.
Having that, small 200 MB increments should never trigger for > 100% because of exclusion but will trigger for an absolute > 5GB. Would it work in your case?
Thanks
-
- Enthusiast
- Posts: 39
- Liked: 5 times
- Joined: Oct 28, 2019 6:02 pm
- Contact:
Re: Suspicious incremental backup size - exceptions for absolute size difference?
Since the rules on alarms use OR logic and I can't do AND, are you suggesting separate rules using "exclude jobs/job name" filters, where I would could have different thresholds for different jobs? That might get me a little closer, but jobs vary wildly in the amount of incremental backup size they generate.
-
- Veeam Software
- Posts: 745
- Liked: 191 times
- Joined: Nov 01, 2016 11:26 am
- Contact:
Re: Suspicious incremental backup size - exceptions for absolute size difference?
Hello ValiantMartian,
Correct the AND logic is not achievable at the moment. I agree, that incremental backup size could vary dramatically and the purpose of the alarm is to detect a suspicious size.
If we would take into consideration the analysis depth parameter the fluctuations should be mitigated to some extent. In that case, even a small deviation could become critical but ignored because of AND logic and multiple conditions. That is why I suggested splitting jobs between 4 conditions.
Could you please provide maybe a little bit more examples of what could be suspicious in your environment? I have a feeling that cases when for example "> 100% AND > 5GB" could be ignored because 99% or 4.9GB but the increment still looks like a suspicious one.
Thanks
Correct the AND logic is not achievable at the moment. I agree, that incremental backup size could vary dramatically and the purpose of the alarm is to detect a suspicious size.
If we would take into consideration the analysis depth parameter the fluctuations should be mitigated to some extent. In that case, even a small deviation could become critical but ignored because of AND logic and multiple conditions. That is why I suggested splitting jobs between 4 conditions.
Could you please provide maybe a little bit more examples of what could be suspicious in your environment? I have a feeling that cases when for example "> 100% AND > 5GB" could be ignored because 99% or 4.9GB but the increment still looks like a suspicious one.
Thanks
Who is online
Users browsing this forum: koravit and 164 guests