I have been investigating log delays on our log server. The Logs themselves are present, if you open up the latest log file, but when you use the SmartLog with Log indexing there is a 10 - 20 minute delay. I have been through some of the SK, but nothing seemed to help.
In the end I think it related to the sizing of the dedicated log server, which I will follow up on.
The question I have is, if there is a relationship between the SmartEventCorrelation unit and the log indexing?
We have a dedicated Management Server (running Smart Event server) and dedicated Log server.
Our log indexing delays were solved, by making sure there was a SmartEvent Correlation Unit running on the dedicated Log server as well as on the Management server.
I understand that there is log need to be processed by the correlation unit, and that if the correlation unit is not running on the log server, there is some extra communication between the log server and where the correlation unit is. Beyond the overhead of CPU and networking related to this, should there be an impact on the indexing of the logs?