Partial log collection or no logs are collected due to flooding of events in Event Viewer | EventLog Analyzer troubleshooting
Issue description
When high log flow is observed, Event Viewer may flood out, leading to partial or no logs being collected.
Possible cause
A high number of events being generated in a production environment server might exhaust or exceed the Event Viewer size. This may lead to events getting overwritten or EventLog Analyzer not being able to collect logs present in the Event Viewer due to scheduled log collection.
Prerequisites
- Need admin access to the server to update Event Viewer settings.
- Need log source configuration modification access for EventLog Analyzer.
Resolution
Case 1: Increase Event Viewer size to withstand at least 15 minutes of events for scheduled log collection.
Step 1: Increase the size of the Event Viewer Log folder to hold more events. This will increase the time of events existing in the Event Viewer.
Step 2: Open Event Viewer for the respective Windows device and right-click the log type > Properties. Increase the Event Viewer value.
Step 3: Review the time difference between the first and last message and set the Maximum log size (KB) accordingly.
Case 2: Set real-time log collection to collect the logs.
Step 1: Navigate to Settings > Log source configuration > Devices > Windows.
Step 2: Under the Actions column, click the Update icon for the respective device and set the Log Collection Mode to Realtime.
Step 3: Click Update.
Tips
- Set up Event Viewer to hold events based on log collection schedule.
- Review the configuration made in Audit Policies to ensure required events are being recorded and to avoid noisy events.
How to reach support
If the issue persists, please contact support.
Support Channels:
Toll-Free (US): +1 844 649 7766
Live Chat: EventLog Analyzer live chat support
New to ADSelfService Plus?
Related Articles
Troubleshooting: Some events are not available in the Search tab | EventLog Analyzer
Issue description The user might not be able to see some events that happened natively within the EventLog Analyzer Search tab. This article offers steps to review and resolve this issue. Possible causes The event was not recorded natively due to ...Enabling historic log collection in EventLog Analyzer
EventLog Analyzer collects all the logs present in the Windows Event Viewer (i.e., Windows Logs > Application, Security, System) when the historic log collection option is enabled. To enable historic log collection, follow the steps below: Navigate ...RPC server unavailable in EventLog Analyzer while collecting logs
Issue description The "RPC Server Unavailable" error occurs in EventLog Analyzer when it fails to establish a remote connection with a Windows server or workstation using RPC, WMI, or DCOM services. This issue typically arises due to network ...No data or logs collected from syslog device
Issue description During the initial setup or while using EventLog Analyzer, you might notice that logs are not being collected from a syslog device or that syslog device reports do not show any recent data. EventLog Analyzer uses device status ...How to collect historic logs from Windows devices in EventLog Analyzer
Objective When a Windows device is onboarded in EventLog Analyzer, log collection starts from the moment of onboarding. To retrieve Windows event logs generated before the onboarding, you can use the following methods: Historic log collection: Can be ...