If a device (i.e. log source) is deleted from the LMI appliance then the logs collected by LMI from that log source will still exist and are accessible for searching. Classic regex and index searching as well as advanced search will all still be able to retrieve the device's events.

There are primary 2 solutions to this issue. Each has its pros and cons compared to the other. The first is to re-create the log source with the same IP and device type as the device entry that was deleted. This is the preferred solution if the log source was accidentally deleted and should still exist in LogLogic LMI. If you do not want to re-create the log source then the other method for searching logs for the device is to search using the default group that matches the device type. The disadvantage to this method is that logs from other sources may be included in the results, depending on whether your filter criteria can eliminate those. For either solution, you will need to know the device type of the deleted device. This is usually not an issue for the more standard sources like Microsoft Windows but may not always be known.

Solution 1
1. Log into the Web UI as admin
2. Recreate the device using the same IP address and Device Type by going to Administration->Manage Devices and clicking on the Add button.
3. You can then search on any of the logs that were previously collected from this device as long as they have not reached the end of their retention time.

Solution 2
1. Instead of re-creating the source you can just search for the events. Since the individual log source is no longer available for selection you will need to select the the default device group corresponding to the device type of the deleted device.


As a last resort, a user can still retrieve the logs from a deleted source by simply searching against all sources. This is the only available option in the event that you don't know the device type of the deleted source. The details for doing this are provided below for each search function:
- Searching all events is possible in the classic regex search by specifying All for the device type field, All for the Source Device and Retrieve All for the search filter.
- In classic index search this is typically achieved using default search criteria because the classic index search defaults to searching all logs except those from LogLogic LMI appliances.
- With advanced search a user can search all events collected by the LMI appliance by using the system data model. For example, "use system" is the EQL query to use in an advanced search to retrieve all events. You will probably want to add keywords and/or a regex pattern to that for further filtering the results which will reduce the result set as well as provide much better performance.