How to get notified about unprocessed log files in EventLog Analyzer

How to get notified about unprocessed log files in EventLog Analyzer

Objective

EventLog Analyzer provides email notifications when unprocessed log files accumulate and form cached records. This helps administrators detect potential issues in log ingestion or processing early, enabling proactive troubleshooting to avoid data loss or performance degradation.
When EventLog Analyzer is unable to process incoming logs quickly enough, those logs are temporarily written into unprocessed log files (<Installation Directory>\ManageEngine\EventLog Analyzer\ES\CachedRecord) for later processing. These files are processed sequentially once the system resources are available. You can configure a limit for the number of such files, and a notification will be sent when this threshold is exceeded.
In a new installation of EventLog Analyzer, the default threshold for unprocessed log files is set to 100. In older builds, the threshold is set based on the total size of the cached records created, typically 50GB.

Prerequisite  

  • Email server settings must be configured under Settings > System Settings > Notification Settings > Mail Settings.

Steps to follow

Step 1: Navigate to Settings > Admin Settings > Product Settings > Product Notifications.
Step 2: Enable the option Unprocessed Log Files.
Step 3: Click Save to apply the settings.

Tips

Unprocessed log files typically occur in the following scenarios:
1. When there is a delay in log processing due to insufficient resources (RAM or CPU)
Refer to the system resources table and meet the hardware requirements accordingly.
2. When there's a sudden spike or fluctuation in the log flow
Always meet the hardware requirements with an additional buffer to handle such situations.
For example, say you are a medium-sized organization, and your environment generates a normal log flow: 1,500 Windows events per second (EPS) and 10,000 syslog messages (in EPS). Please meet the setup and hardware requirements for a high flow so that in the event of a sudden spike, the product can process the logs quicker.
3. When the disk space on the server where EventLog Analyzer is installed falls below 20GB
It is always recommended to install EventLog Analyzer on a dedicated partition (other than the C drive) and allocate the disk space based on the log flow. Refer to the system resources table and meet the disk space requirements accordingly.

Related articles and topics


                  New to ADSelfService Plus?

                    • Related Articles

                    • How to get notified about EventLog Analyzer's log collector failure

                      Objective EventLog Analyzer can send email alerts when the internal log collector service (SysEvtCol) crashes or stops unexpectedly. This alert helps administrators detect disruptions in core log ingestion and take immediate corrective action to ...
                    • Troubleshooting guide: EventLog Analyzer UI is unresponsive

                      Overview This document outlines the common causes and recommended steps to resolve the issue when the EventLog Analyzer UI becomes unresponsive. Possible causes Insufficient system resources High CPU or memory usage on the server. Low disk space in ...
                    • How to get notified about archive integrity issues in EventLog Analyzer

                      Objective EventLog Analyzer sends alerts when archived log files are deleted or tampered with. These alerts help ensure the integrity and security of archived data, which is critical for audit trails, compliance, and forensic investigations. Email ...
                    • Log import failure during remote log collection in EventLog Analyzer

                      Issue description EventLog Analyzer will display an error notification in the UI stating that the log import for selected files has failed. This issue will happen when EventLog Analyzer is unable to import a file during the scheduled log import ...
                    • Unable to start EventLog Analyzer

                      Issue description This issue occurs when the EventLog Analyzer service fails to start, or when users are unable to access the web client through the browser (typically on ports 8400 or 8445). Users may experience one or more of the following ...