Troubleshoot Empty Reports
When a report is empty, there could be multiple causes. This page was compiled from common issues experienced by LogRhythm customers.
Do you have the proper log source(s) included in the report?
Double check the Log Source Criteria to ensure the proper items are selected.
Is the log source functioning?
If a Tail or Investigation indicates that no logs are being collected by the device, check the device for changes that might stop it from sending logs. In the Log Sources tab, check the Last Log field in the Deployment Manager.
Is your EMDB old?
If you are using EMDB 4.04 or earlier, upgrading fixes issues that prevent some reports from generating.
Have you upgraded lately?
Older software may cause a report to generate improperly. Update to the latest Report Package to ensure you have the most recent copy of the report templates. Update to the latest Knowledge Base to update rules that would have an effect on how a rule processes logs needed for the report criteria. Updating the LogRhythm software (Data Processor, ARM, and Client Console) may also help correct problems with report generation. Access the LogRhythm Community for the latest downloads.
Are you saving to a Microsoft SharePoint Server?
If LogRhythm is generating reports directly to SharePoint, there have been reports that files do not always write correctly. Saving reports directly to the local drive appears that it may have corrected this problem.
Does the Log Processing Policy have the proper rules enabled?
You can check from the Deployment Manager using the Log Processing Policies tab. Find the policy for the log source type you are interested in and ensure no rules are disabled in the policy.
Is the information being collected coming from an agent that is currently malfunctioning or down?
Check the status of the System Monitor Agent in the Deployment Monitor. If the name of the agent is highlighted in yellow or red, it is experiencing problems and should be investigated.
Is the report criteria accurate?
Not having the proper common event or having incorrect logic between conditions can cause an empty report. Create an Investigation to tune the criteria until the proper logs are shown. Then, either save the Investigation as a report or format the data into the report using the built-in tools.
Is the report empty or just has no matches?
If the report is blank (0 bytes) as opposed to getting a message that states that “no logs match” the report query, then there may be an error that stopped the report from being generated. Contact LogRhythm Support to help identify the cause.
Is the Report Data Source correct? Do you know if your report is to query the Platform Manager, Data Processor, or the LogMart?
The following chart shows the data contained in each repository based on its classification. Compare the report filter criteria and data source against this table.
| Classification | Data Processor | Platform Manager | LogMart |
|---|---|---|---|
| Audit | |||
Audit: Startup & Shutdown | Yes | Case By Case | Yes |
Audit: Configuration | Yes | Yes | Yes |
Audit: Policy | Yes | Yes | Yes |
Audit: Account Created | Yes | Yes | Yes |
Audit: Account Modified | Yes | Yes | Yes |
Audit: Account Deleted | Yes | Yes | Yes |
Audit: Access Granted | Yes | Yes | Yes |
Audit: Access Revoked | Yes | No | Yes |
Audit: Authentication Success | Yes | Case By Case | Yes |
Audit: Authentication Failure | Yes | Yes | Yes |
Audit: Access Success | Yes | Case By Case | Yes |
Audit: Access Failure | Yes | Yes | Yes |
Audit: Other Audit Success | Yes | No | No |
Audit: Other Audit Failure | Yes | Yes | Yes |
Audit: Other | Yes | No | No |
Security | |||
Security: Compromise | Yes | Yes | Yes |
Security: Attack | Yes | Yes | Yes |
Security: Denial of Service | Yes | Yes | Yes |
Security: Malware | Yes | Yes | Yes |
Security: Suspicious | Yes | Yes | Yes |
Security: Reconnaissance | Yes | Yes | Yes |
Security: Misuse | Yes | Yes | Yes |
Security: Activity | Yes | Case By Case | Case By Case |
Security: Failed Attack | Yes | No | Yes |
Security: Failed Denial of Service | Yes | No | Yes |
Security: Failed Malware | Yes | No | Yes |
Security: Failed Suspicious | Yes | No | Yes |
Security: Failed Misuse | Yes | No | Yes |
Security: Failed Activity | Yes | No | Yes |
Security: Other Security | Yes | Case By Case | Case By Case |
Operations | |||
Operations: Critical | Yes | Yes | Yes |
Operations: Error | Yes | Yes | Yes |
Operations: Warning | Yes | Yes | Yes |
Operations: Information | Yes | No | No |
Operations: Network Allow | Yes | No | No |
Operations: Network Deny | Yes | No | No |
Operations: Network Traffic | Yes | No | No |
Operations: Other | Yes | No | No |
In addition, the Platform Manager maintains information about:
- Alarms
- Log Volume
- Rate Analysis
- Usage Auditing
Also, keep in mind that LogMart contains aggregate metadata at 1 hour resolution for the data that is sent to it. In other words, it contains unique log message metadata and the number of times that log message occurred during a 1 hour period. Do not use LogMart if you are looking for an individual occurrence of a log message.