Alerts
Veeam App for Splunk provides you with built-in alerts triggered when Splunk search results meet alert conditions. Alert conditions are based on Veeam security and monitoring events and checked periodically at specific time intervals. By default, all alerts are disabled and expired in 24 hours if enabled.
Alert List
The Alerts section includes the following alerts:
Alert | Trigger Condition | Alert Severity | Time Interval for Check |
|---|---|---|---|
Adding User or Group Failed | At least one Veeam event with ID 31210 (Adding User or Group Failed) is found. | Critical | Every 5 minutes |
Allowed Attempts for Multi-Factor Authentication Exceeded | At least one Veeam event with ID 40206 (Allowed Attempts for Multi-Factor Authentication Exceeded) is found. | Critical | Every 5 minutes |
Application Group Deleted | At least one Veeam event with ID 30500 (Application Group Deleted) is found. | Info | Once a day |
Application Group Settings Updated | At least one Veeam event with ID 30400 (Application Group Settings Updated) is found. | Info | Once a day |
Archive Repository Deleted | At least one Veeam event with ID 29900 (Archive Repository Deleted) is found. | Critical | Every 5 minutes |
Archive Repository Settings Updated | At least one Veeam event with ID 29800 (Archive Repository Settings Updated) is found. | Medium | Every 3 hours |
Attempt to Delete Backup Failed | At least one Veeam event with ID 41800 (Attempt to Delete Backup Failed) is found. | Critical | Every 5 minutes |
Attempt to Update Security Object Failed | At least one Veeam event with ID 41810 (Attempt to Update Security Object Failed) is found. | Medium | Every 5 minutes |
Backup Repository Deleted | At least one Veeam event with ID 28200 (Backup Repository Deleted) is found. | Critical | Every 5 minutes |
Backup Repository Settings Updated | At least one Veeam event with ID 28100 (Backup Repository Settings Updated) is found. | Medium | Every 3 hours |
Cloud Replica Permanent Failover Performed by Tenant | At least one Veeam event with ID 27000 (Cloud Replica Permanent Failover Performed by Tenant) is found. | High | Every 5 minutes |
Configuration Backup Job Failed | At least one Veeam event with ID 40700 (Configuration Backup Job Finished) and state Failed is found. | High | Every 3 hours |
Configuration Backup Job Settings Updated | At least one Veeam event with ID 31500 (Configuration Backup Job Settings Updated) is found. | Info | Once a day |
Connection to Backup Repository Lost | At least one Veeam event with ID 21224 (Connection to Backup Repository Lost) is found. | Critical | Every 5 minutes |
Credential Record Deleted | At least one Veeam event with ID 25500 (Credential Record Deleted) is found. | Critical | Every 5 minutes |
Encryption Password Added | At least one Veeam event with ID 31600 (Encryption Password Added) is found. | Info | Once a day |
Encryption Password Deleted | At least one Veeam event with ID 31800 (Encryption Password Deleted) is found. | Critical | Every 5 minutes |
Encryption Password Changed | At least one Veeam event with ID 31700 (Encryption Password Changed) is found. | High | Every 5 minutes |
External Repository Deleted | At least one Veeam event with ID 32200 (External Repository Deleted) is found. | Critical | Every 5 minutes |
Failover Plan Deleted | At least one Veeam event with ID 26100 (Failover Plan Deleted) is found. | Medium | Every 3 hours |
Failover Plan Failed | At least one Veeam event with ID 26110 (Failover Plan Failed) is found. | Medium | Every 3 hours |
File Server Deleted | At least one Veeam event with ID 28950 (File Server Deleted) is found. | High | Every 5 minutes |
File Share Deleted | At least one Veeam event with ID 28920 (File Share Deleted) is found. | High | Every 5 minutes |
Four-Eyes Authorization Disabled | At least one Veeam event with ID 42401 (Four-Eyes Authorization Disabled) is found. | Critical | Every 5 minutes |
Four-Eyes Authorization Request Created | At least one Veeam event with ID 42402 (Four-Eyes Authorization Request Created) is found. | Critical | Every 5 minutes |
Four-Eyes Authorization Request Expired | At least one Veeam event with ID 42405 (Four-Eyes Authorization Request Expired) is found. | High | Every 5 minutes |
Four-Eyes Authorization Request Rejected | At least one Veeam event with ID 42404 (Four-Eyes Authorization Request Rejected) is found. | Info | Once a day |
Global VM Exclusions Added | At least one Veeam event with ID 40400 (Global VM Exclusions Added) is found. | High | Every 5 minutes |
Global VM Exclusions Deleted | At least one Veeam event with ID 40500 (Global VM Exclusions Deleted) is found. | Medium | Every 3 hours |
Global VM Exclusions Changed | At least one Veeam event with ID 40600 (Global VM Exclusions Changed) is found. | High | Every 5 minutes |
Host Deleted | At least one Veeam event with ID 28500 (Host Deleted) is found. | High | Every 5 minutes |
Invalid Code for Multi-Factor Authentication Entered | At least one Veeam event with ID 40205 (Invalid Code for Multi-Factor Authentication Entered) is found. | High | Every 5 minutes |
Job Deleted | At least one Veeam event with ID 23090 (Job Deleted) is found. | Critical | Every 5 minutes |
Job No Longer Used as Second Destination | At least one Veeam event with ID 23420 (Job No Longer Used as Second Destination) is found. | High | Every 5 minutes |
KMS Key Rotation Job Finished | At least one Veeam event with ID 42500 (KMS Key Rotation Job Finished) is found. | Info | Once a day |
KMS Server Deleted | At least one Veeam event with ID 42301 (KMS Server Deleted) is found. | Critical | Every 5 minutes |
KMS Server Settings Updated | At least one Veeam event with ID 42302 (KMS Server Settings Updated) is found. | High | Every 5 minutes |
License Grace Period Started | At least one Veeam event with ID 24060 (License Grace Period Started) is found. | Medium | Every 3 hours |
License Removed | At least one Veeam event with ID 24080 (License Removed) is found. | High | Every 5 minutes |
License Limit Exceeded | At least one Veeam event with ID 24070 (License Limit Exceeded) is found. | Medium | Every 3 hours |
License Support Expired | At least one Veeam event with ID 24050 (License Support Expired) is found. | High | Every 5 minutes |
License Support Expiring | At least one Veeam event with ID 24040 (License Support Expiring) is found. | Medium | Every 3 hours |
Malware Activity Detected | At least one Veeam event with ID 41600 (Malware Activity Detected) is found. | Critical | Every 5 minutes |
Malware Detection Session Finished | At least one Veeam event with ID 42210 (Malware Detection Session Finished) is found. | Info | Every 3 hours |
Malware Detection Settings Updated | At least one Veeam event with ID 42290 (Malware Detection Settings Updated) is found. | High | Every 5 minutes |
Multi-Factor Authentication Disabled | At least one Veeam event with ID 40201 (Multi-Factor Authentication Disabled) is found. | Critical | Every 5 minutes |
Multi-Factor Authentication for User Disabled | At least one Veeam event with ID 40204 (Multi-Factor Authentication for User Disabled) is found. | Critical | Every 5 minutes |
No Events Found for the Last 24h | No Veeam events from specific data source hosts are found for the last 24 hours. Note that the alert checks only data source hosts specified for locations. For more information, see Managing Locations. | Medium | Once a day at 12:00 AM |
Object Marked as Clean | At least one Veeam event with ID 41610 (Object Marked as Clean) is found. | Info | Once a day |
Object Storage Deleted | At least one Veeam event with ID 28980 (Object Storage Deleted) is found. | Critical | Every 5 minutes |
Object Storage Settings Updated | At least one Veeam event with ID 28970 (Object Storage Settings Updated) is found. | Medium | Every 3 hours |
Objects Added to Malware Detection Exclusions | At least one Veeam event with ID 42260 (Objects Added to Malware Detection Exclusions) is found. | High | Every 5 minutes |
Objects Deleted from Malware Detection Exclusions | At least one Veeam event with ID 42270 (Objects Deleted from Malware Detection Exclusions) is found. | Info | Once a day |
Objects for Job Deleted | At least one Veeam event with ID 32120 (Objects for Job Deleted) is found. | High | Every 5 minutes |
Protection Group Deleted | At least one Veeam event with ID 29120 (Protection Group Deleted) is found. | High | Every 5 minutes |
Objects for Protection Group Deleted | At least one Veeam event with ID 29150 (Objects for Protection Group Deleted) is found. | High | Every 5 minutes |
Recovery Token Deleted | At least one Veeam event with ID 36013 (Recovery Token Deleted) is found. | Medium | Every 3 hours |
Restore Point Marked as Clean | At least one Veeam event with ID 42230 (Restore Point Marked as Clean) is found. | Info | Once a day |
Restore Point Marked as Infected | At least one Veeam event with ID 42220 (Restore Point Marked as Infected) is found. | Critical | Every 5 minutes |
SSH Credentials Changed | At least one Veeam event with ID 31900 (SSH Credentials Changed) is found. | High | Every 5 minutes |
Scale-Out Backup Repository Deleted | At least one Veeam event with ID 30200 (Scale-Out Backup Repository Deleted) is found. | Critical | Every 5 minutes |
Scale-Out Backup Repository Settings Updated | At least one Veeam event with ID 30100 (Scale-Out Backup Repository Settings Updated) is found. | High | Every 5 minutes |
Storage Deleted | At least one Veeam event with ID 41402 (Storage Deleted) is found. | Critical | Every 5 minutes |
SureBackup Job Failed | At least one Veeam event with ID 390 (SureBackup Job Finished) and state Failed is found. | High | Every 3 hours |
Tape Erase Job Started | At least one Veeam event with ID 115 (Tape Erase Job Started) is found. | High | Every 5 minutes |
User or Group Added | At least one Veeam event with ID 31200 (User or Group Added) is found. | High | Every 5 minutes |
User or Group Deleted | At least one Veeam event with ID 31400 (User or Group Deleted) is found. | Critical | Every 3 hours |
Managing Alerts
You can perform the following operations with alerts:
- View detailed information on the alert query and search results. To do this, select an alert and click Open in Search. A new window with the search query will be opened.
- Edit a specific alert. To do this, select an alert and click Edit > Edit Alert. In the opened window, you can do the following:
- Add the alert description.
- Change the alert type.
- Change default parameters for the scheduled alert.
- Change trigger conditions.
- Change the alert severity or add another trigger action.
- Edit alert permissions. To do this, select an alert and click Edit > Edit Permissions.
- Disable a specific alert. To do this, select an alert and click Edit > Disable. Note that trigger history and results related to this alert will be deleted.
For more information about alerts, see Splunk documentation:
- Alerting Manual for Splunk Enterprise
- Alerting Manual for Splunk Cloud Platform