In Audit / Device Logs - Proxy SG "Data Source 1" has a Latest Date of 07 Oct 2023 (on 09 Oct 2023) & "Data Source 2" has a Latest Date of 05 Oct 2023

Neither Client nor CASB Support DSE received any "No New Data since 24 hours Elastica Alert" for either of these two data sources.

In Audit / Device Logs / Data Source / Details  / Processing Tab - Logs are showing as either queued, processing, or processed and current date.

The associated SpanVAs are the latest version and have the recommended minimum 4 CPU, 16 GB RAM, and sufficient for this Client  - 500 GB Disk.

The suspect Client had a significant and semi-lengthy network disruption which caused logs to get backed up on both SpanVAs.

The client has SpanVA Tokenization enabled as well.

Webex with Audit Engineering and Client revealed that the Anonymizer Service had stopped on both of these SpanVAs

On SpanVA1 - the log sizes were quite small, under 1 MB, but coming in fast, with 62 logs in about 8 minutes.

On SpanVA2 - the log sizes were larger, 76MB to 200MB, with 96 logs in 30 minutes

Audit Engineering restarted the Anonymizer Service and created a cron job to auto-restart Anonymizer Service every hour on each SpanVA

Within 30 minutes Disk Utilization had reduced 2% on each SpanVA.  Within 3 or 4 days logs were all caught up and the Latest Date is now current.