Issue description

Possible causes

• The event was not recorded natively due to lack of configuration.
• The event was recorded natively but filtered during log collection.
• The event was recorded natively but was overwritten before log collection.
• The event was recorded natively and collected by the application but has yet to be processed.

Prerequisites 

• Have access to the EventLog Analyzer user interface to perform a log search and review log source configuration.
• Have access to the log source that's not being collected.

Steps to follow

1. Review the log source configuration and if the log was recorded natively
2. For a Windows log source, check if the event was recorded in the Event Viewer. If not, check the related articles from the ManageEngine website to have the event recorded by enabling SACL or an audit policy, or refer to the related Microsoft documents to have the event recorded natively.
3. In some cases where a high log flow is observed in Windows devices, check and ensure if the Event Viewer can withstand the events more than the monitoring interval (default scheduled interval: 10 minutes). If you have set a 10-minute scheduled log collection but the Event Viewer isn't retaining the event for 10–15 minutes, then log collection happens only for selective events, which leads to partial log collection. Refer to Partial log collection or no logs are collected due to flooding of events in the Event Viewer: EventLog Analyzer troubleshooting.
4. For syslog devices and other applications, check if the respective event was recorded natively. For syslog devices, check if the event type is set to be forwarded to your EventLog Analyzer instance. If the events are not recorded, check with the vendor for the scope of having the event recorded.
5. For applications, check if the configuration is done correctly in EventLog Analyzer to collect the logs.
6. If the events are recorded natively, proceed to step two.
   

1. For agent-based log collection:
   

1. Check the agent status at Settings > Admin Settings > Agents.
2. Proceed with agent troubleshooting following the Agent troubleshooting guide if you find any status apart from success.

1. For agentless log collection:

1. Navigate to Settings > Log Source Configuration and open the respective log source tab to check the status. Check if collection happens for all the log sources or only for specific log sources. Refer to Log collector quit troubleshooting if the impact is on all the devices that are not associated with the agent.
   

1. Check if a CachedRecord file is created in <EventLog Analyzer Home>/ES/CachedRecord. A CachedRecord folder contains the unprocessed log files that are collected. This could be due to resource usage by Java in processing the data or insufficient hardware resources at that time. Please do not delete these files as it could lead to data loss.
   
2. These files will automatically be processed when the product gets enough room to process the logs. As long as the files in that folder get processed and the folder empties without continuing to accumulate logs, there is nothing to be concerned about.
3. To optimize the performance, you can consider increasing the resource allocated. For more details on CachedRecord, refer to CachedRecord troubleshooting.

Tips

1. Configure Log Collection Filter policies as per your requirements to avoid high log ingestion; ensure that the configuration is done without the loss of any sensitive or required event logs.
2. Configure a Log Collection Failure Alert to get notified when logs are not being collected.

• Partial log collection or no logs are collected due to flooding of events in the Event Viewer: EventLog Analyzer troubleshooting

How to reach support