Troubleshooting: Some events are not available in the Search tab | EventLog Analyzer
Issue description
The user might not be able to see some events that happened natively within the EventLog Analyzer Search tab. This article offers steps to review and resolve this issue.
Possible causes
- The event was not recorded natively due to lack of configuration.
- The event was recorded natively but filtered during log collection.
- The event was recorded natively but was overwritten before log collection.
- The event was recorded natively and collected by the application but has yet to be processed.
Prerequisites
- Have access to the EventLog Analyzer user interface to perform a log search and review log source configuration.
- Have access to the log source that's not being collected.
Steps to follow
Step 1:
- Review the log source configuration and if the log was recorded natively
- For a Windows log source, check if the event was recorded in the Event Viewer. If not, check the related articles from the ManageEngine website to have the event recorded by enabling SACL or an audit policy, or refer to the related Microsoft documents to have the event recorded natively.
- In some cases where a high log flow is observed in Windows devices, check and ensure if the Event Viewer can withstand the events more than the monitoring interval (default scheduled interval: 10 minutes). If you have set a 10-minute scheduled log collection but the Event Viewer isn't retaining the event for 10–15 minutes, then log collection happens only for selective events, which leads to partial log collection. Refer to Partial log collection or no logs are collected due to flooding of events in the Event Viewer: EventLog Analyzer troubleshooting.
- For syslog devices and other applications, check if the respective event was recorded natively. For syslog devices, check if the event type is set to be forwarded to your EventLog Analyzer instance. If the events are not recorded, check with the vendor for the scope of having the event recorded.
- For applications, check if the configuration is done correctly in EventLog Analyzer to collect the logs.
- If the events are recorded natively, proceed to step two.
Step 2: Check if a Log Collection Filter has been configured and if it may be filtering this event from being collected. Step 3: Check if the log collection happens with an agent-based or agentless mechanism.
- For agent-based log collection:
- Check the agent status at Settings > Admin Settings > Agents.
- Proceed with agent troubleshooting following the Agent troubleshooting guide if you find any status apart from success.
- For agentless log collection:
- Navigate to Settings > Log Source Configuration and open the respective log source tab to check the status. Check if collection happens for all the log sources or only for specific log sources. Refer to Log collector quit troubleshooting if the impact is on all the devices that are not associated with the agent.
If partial data is available in either of the above cases, refer to step four.
Step 4:
- Check if a CachedRecord file is created in <EventLog Analyzer Home>/ES/CachedRecord. A CachedRecord folder contains the unprocessed log files that are collected. This could be due to resource usage by Java in processing the data or insufficient hardware resources at that time. Please do not delete these files as it could lead to data loss.
- These files will automatically be processed when the product gets enough room to process the logs. As long as the files in that folder get processed and the folder empties without continuing to accumulate logs, there is nothing to be concerned about.
- To optimize the performance, you can consider increasing the resource allocated. For more details on CachedRecord, refer to CachedRecord troubleshooting.
Tips
- Configure Log Collection Filter policies as per your requirements to avoid high log ingestion; ensure that the configuration is done without the loss of any sensitive or required event logs.
- Configure a Log Collection Failure Alert to get notified when logs are not being collected.
Related articles
How to reach support
If the issue persists, please contact support.
Support Channels:
Toll-Free (US): +1 844 649 7766
New to ADSelfService Plus?
Related Articles
Error: Alerts are not getting triggered in EventLog Analyzer
Issue description Alerts are not recorded in EventLog Analyzer. This problem occurs due to various reasons and impacts detections. This document offers troubleshooting information to resolve this issue. Possible causes The alert profile may be ...
Unable to start EventLog Analyzer
Issue description This issue occurs when the EventLog Analyzer service fails to start, or when users are unable to access the web client through the browser (typically on ports 8400 or 8445). Users may experience one or more of the following ...
Troubleshooting guide: No data available in a Compliance Report
Overview This document provides a technical explanation and resolution guide when there is no data being displayed under compliance reports in ManageEngine EventLog Analyzer. Compliance reports include regulatory standards such as PCI-DSS, HIPAA, ISO ...
How to increase the number of records displayed in EventLog Analyzer's Reports and Search modules
Objective By default, EventLog Analyzer displays a limited number of records (default: 10 records) in the UI for both the Reports and Search modules. However, administrators may need to increase this limit to view more log entries directly within the ...
How time conversion works in EventLog Analyzer
Objective This article explains how time conversion is handled in EventLog Analyzer while accessing log data when the EventLog Analyzer server and endpoint devices operate in different time zones. It also provides guidance on how to identify and ...