Help with a filter for veeam backups

edited June 2014 in General
Daily we get an email from servers that complete their Veeam backups. Were virtual and you might know Veeam as one of the top virtual machine backup applications. What happens is it starts a service that assists with vss snapshots on servers running things like Exchange or SQL, so it's not entirely a crash-consistent backup. When the backup is done, it writes to the event log that it is removing its service. Eventsentry picks up on this and emails the IT team. We just ignore it because we understand the timing of these emails and the contents of the message coincides with the backup job. Here is an example message:

EVENT # 139416
EVENT LOG Application
EVENT TYPE Error
OPCODE Info
SOURCE EventSentry
CATEGORY Service Monitoring
EVENT ID 10102
DATE / TIME 6/4/2014 10:40:19 PM
COMPUTERNAME ACTSERVER
MESSAGE A service was removed: veeamvsssupport (VeeamVssSupport).

Additional Service Information:

Status: Running
Startup type: Automatic
Executable: C:\Windows\VeeamVssSupport\VeeamGuestAgent.exe
Service account: LocalSystem


Now under Generic Windows I created an Exclude filter called Veeam. In it I have Application log checked, and Information, Warning and Error checked for Severity. For Source I have EventSentry. For Category I have Service Monitoring. For Content Filter & Notes I have one Wildcard entry with the filter text veeamvsssupport.

The particular machine here does have "generic windows" as an Assigned Event Log Package (among a few others as well). Its running the agent version 3.0.1.98.

Last night I got an email again (as you can see above). I'm not sure, but does it look like I'm missing anything?

Comments

  • Hi Keith,

    I believe the filter is not working because you are missing the wildcard characters before and after the filter text, it should be *veamvsssupport*.

    A better way to filter would be to use the insertion string - instead of "Wildcard Match" you would set the content filter to "Insertion String" and select "1" for the insertion string (with the default setting "matches") and then simply specify the service name in the content filter like you did originally - veamvsssupport.

    When EventSentry logs the 10102 event, the service name is passed in as insertion string number 1.

    Let us know if that works.
  • Hey that's pretty cool, I didn't realize that, but your right. Now that I look at other excludes I see the * in front and behind them.

    I'm going to try the insertion string number 1 method. I won't know until later tonight because that's when the backup runs and the service is pushed, started, then removed when backup complete.
Sign In or Register to comment.