Overview 

Possible causes

• Insufficient system resources

• High CPU or memory usage on the server.
• Low disk space in installation or log directories.

• Corrupted or overloaded database

• Elasticsearch issues due to network or port connectivity disruptions.
• Large volume of raw log data or reports that slow down queries.

• Background tasks overload

• Log parsing, report generation, or alerting tasks consume excessive resources.
• High-frequency scheduler tasks.

• Corrupted UI files or services not running

• Web server is not initialized properly.
• Corrupted web UI or Java components.

• Log rotation or archival issues

• Large volume of unarchived or uncompressed logs can slow down the UI.
• File system errors on log directories.
  

• Cached records

• The unprocessed logs might be piled up in the server due to system resource crunch, and the product will take some time to process it in the backend.
  

Prerequisites   

1. Ensure that the EventLog Analyzer server is allocated with appropriate system resources based on the log flow in your instance. Refer to the following guide to get a better perspective: System requirements
2. Verify that the mandatory ports are opened/enabled in the EventLog Analyzer installed server using the following guide: Prerequisites
3. If the antivirus or endpoint protection software is running on the EventLog Analyzer installed server,  validate that you have excluded the <dir> ManageEngine\EventLog Analyzer directory path from the solution's scan list. 
4. Ensure that the EventLog Analyzer installed server's memory is reserved and locked in 100%. Reference: System requirements
   

Resolution 

1. Stop any unnecessary background processes running on the EventLog Analyzer server to reclaim system resources. Aim to align the system’s resource usage with the recommended values outlined in the prerequisite guide above.

1. On some cases, a GPO push might revert the already opened ports and protocol in the EventLog Analyzer installed server. Hence, ensure that the Elasticsearch ports are opened/enabled in the firewall rules as per the following guide: Prerequisites
   

1. CPU and memory allocation
   
1. Allocate 100% of the available RAM and CPU to the VM running EventLog Analyzer.
2. Avoid resource sharing with other VM on the same host, as it may lead to CPU and RAM starvation, which can severely impact performance. 

1. Storage provisioning
   
1. Use thick provisioning for virtual disks.
2. For VMware environments, select Thick Provision Eager Zeroed for optimal performance.
3. Avoid Thick Provision Lazy Zeroed as it delivers lower performance, and thin provisioning altogether, as it increases I/O latency.
   

1. Snapshot management
   
1. Disable or avoid using VM snapshots during regular operations.
2. Snapshots duplicate data across multiple blocks, increasing read/write operations and causing higher I/O latency, which can degrade system performance.
   

1. CPU and RAM utilization best practices
   
1. Ensure that CPU utilization remains below 85% to maintain consistent and reliable performance.
2. Reserve at least 50% of server RAM for off-heap utilization by Elasticsearch, which is crucial for indexing and searching efficiency.  

1. Disk configuration
   
1. Disk latency is a critical factor for EventLog Analyzer’s performance.
2. Use direct-attached storage (DAS) with performance equivalent to SSD—offering near-zero latency and high throughput.
3. Enterprise-grade storage area networks (SANs) may also be used if they offer superior performance over standard SSDs.
   

1. Clear the browser cache or use incognito mode. Try accessing from a different machine/network.
   

1. Please note that the files in the CachedRecord folder are logs that have been collected but are yet to be processed. This situation could arise due to high resource usage by Java for processing the data or insufficient hardware resources at the time. Do not delete the files in the CachedRecord folder, as this could lead to data loss. These files will be automatically processed when sufficient resources are available. As long as the files in this folder are eventually processed and the folder doesn't continuously accumulate files, there should be no cause for concern.
   
2. The cached records directory path: <dir>: ManageEngine\EventLog Analyzer\ES\CachedRecords
   
3. If the issue persists, please follow the instructions listed in the memory reservation section.
   
4. EventLog Analyzer also provides email notifications when unprocessed log files accumulate and form cached records. Please refer to this link to know more. 
   

1. Follow these steps to increase the memory allocated to EventLog Analyzer.

wrapper.java.maxmemory=1024

1. You can Increase the Product Memory upto 6GB Maximum
   
2. Restart the product after memory allocation. The changes will be effective only after the product is restarted.

Tips 

1. Set your log retention days exactly based on your requirements. Reference: Retention settings || Archive
2. Upgrade to the latest builds of EventLog Analyzer. Reference: Upgrade to latest version of EventLog Analyzer build || Eventlog Analyzer latest features
3. Schedule periodic server restarts during off-hours.

How to contact support

Related articles and topics

1. How to get notified about unprocessed log files in EventLog Analyzer