Partial log collection or no logs are collected due to flooding of events in Event Viewer | EventLog Analyzer troubleshooting
Issue description
When high log flow is observed, Event Viewer may flood out, leading to partial or no logs being collected.
Possible cause
A high number of events being generated in a production environment server might exhaust or exceed the Event Viewer size. This may lead to events getting overwritten or EventLog Analyzer not being able to collect logs present in the Event Viewer due to scheduled log collection.
Prerequisites
- Need admin access to the server to update Event Viewer settings.
- Need log source configuration modification access for EventLog Analyzer.
Resolution
Case 1: Increase Event Viewer size to withstand at least 15 minutes of events for scheduled log collection.
Step 1: Increase the size of the Event Viewer Log folder to hold more events. This will increase the time of events existing in the Event Viewer.
Step 2: Open Event Viewer for the respective Windows device and right-click the log type > Properties. Increase the Event Viewer value.
Step 3: Review the time difference between the first and last message and set the Maximum log size (KB) accordingly.
Case 2: Set real-time log collection to collect the logs.
Step 1: Navigate to Settings > Log source configuration > Devices > Windows.
Step 2: Under the Actions column, click the Update icon for the respective device and set the Log Collection Mode to Realtime.
Step 3: Click Update.
Tips
- Set up Event Viewer to hold events based on log collection schedule.
- Review the configuration made in Audit Policies to ensure required events are being recorded and to avoid noisy events.
How to reach support
If the issue persists, please contact support.
Support Channels:
Toll-Free (US): +1 844 649 7766
Live Chat: EventLog Analyzer live chat support
New to ADSelfService Plus?
Related Articles
Troubleshooting: Some events are not available in the Search tab | EventLog Analyzer
Issue description The user might not be able to see some events that happened natively within the EventLog Analyzer Search tab. This article offers steps to review and resolve this issue. Possible causes The event was not recorded natively due to ...Troubleshooting: Disk space issues in EventLog Analyzer
Issue description EventLog Analyzer server might run out of storage due to misconfiguration and other known factors. This article offers troubleshooting steps to resolve when your disk or drive where the application is installed is full and help you ...How to configure log collection filters in EventLog Analyzer/Log360
Objective EventLog Analyzer offers log filtering capabilities, so that you can filter/remove/exclude unwanted events being collected or collect only the logs you actually need, by avoiding noisy events being collected. Filters let you include or ...Enabling historic log collection in EventLog Analyzer
EventLog Analyzer collects all the logs present in the Windows Event Viewer (i.e., Windows Logs > Application, Security, System) when the historic log collection option is enabled. To enable historic log collection, follow the steps below: Navigate ...Endpoint, Cloud or Log source deletion in EventLog Analyzer
Objective You may delete a device or application from EventLog Analyzer due to any of the following reasons: As the device or application auditing is no longer used or required for auditing Misconfigured the device with different log format. Device ...