Hi Ian,
I would agree with others when pinpointing to the time drift. I have seen this behaviour on customer's systems when their host time is significantly adrift. It is also worth noting that you should check all your log sources to ensure they are all configured with an NTP server. If you focus all your efforts on the LEM appliance and not considered your network devices generating the events, potentially with a bad time stamp, you will be missing a trick.
LEM does run an NTP daemon, but you need to disable the time sync with host in the VM properties before you can set an NTP server in the command line.
Also check to see what RAID array you have configured LEM to run on. RAID 5 and RAID 6 are not advised because the parity checks increase disk write latency to disk. With any database, it is advisable to use RAID 1+0 (min 4 spindles) to ensure disk performance does not impact functionality of the application on top of the database. If you are only monitoring a handful of nodes, you should not see an issue, but if your events per minute count is high and you intend to run a number of reports and searches simultaneously on top of the events being correlated, you may see high disk I/O latency if not using RAID 1+0.
FWIW I would consider upgrading to LEM 5.7 as it is available at no cost if your maintenance subscription is valid. It takes all of 20 minutes to upgrade the appliance and replace the AIR console and reports application on your workstation.
Kind Regards
Garreth