1 Reply Latest reply on Nov 20, 2015 8:56 AM by mavturner

    Does LEM delete local event logs?


      Hi All,


      I've come to an organisation that is using Log and Event Manager and my predecessor, who was part of the installation by a third party, is no longer at the company.

      To put it bluntly, we don't particularly like the product and find it a pain to use and would like to be able to view events in the server event logs.


      Here lies my problem, when i look for a particular event 4740 (account lockout), there are none listed since (I presume) when LEM was installed.

      I am able to see current events in LEM of this type and i have checked that auditing is turned on in group policy so I can only imagine that LEM is polling and deleting the logs.


      If this is the case, how can i prevent this?



        • Re: Does LEM delete local event logs?



          I'm sorry you are finding the product difficult to use. I'd be happy to schedule some time to give you a quick intro to the product and how to use it. There is a learning curve but I find that once customers get over that initial bump, they find it very powerful. Of course, we are always working to improve this.


          No, LEM does not delete the local logs. It's possible that the server you are looking at isn't the same one that processed the account lockout event. If you go to Explore - nDepth then change from "Drag & Drop" mode to "Text Input" you can do a search on the event ID and it will show you all of the events. Once you are more familiar with the product, the Drag & Drop mode will be faster, but sometimes it's easier for people new to the product to start with the text input.



          Next, you probably want to change the view to see the logs instead of the charts. At the very bottom of the screen there is a row of icons that allows you to visualize the data in different ways. Try changing to the Results Detail view to see the matching events.




          Once you are viewing the full results, it should be clear which machine is logging the account disable messages. I would double check that it's the machine you expect. If the logs are really not on that server, you'll need to check for other reasons why. I hope that helps, but if not, let me know!