.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
Azure Monitor Collection configured using Azure Monitor Event Source Configuration Guide and Test connection failing with below error in messages./var/log/messages:
Sep 1 12:51:03 LogCollector NwLogCollector[38018]: [CmdScriptCollection] [info] [cmdscript:WrkUnit[4]payloadService:24261] [onLog:794] [azuremonitor.AzureLog ] [processing] [WorkUnit] [processing] 2020-09-01T12:51:01Z AzuremonitorCollector Starting events loop
Sep 1 12:51:03 LogCollector NwLogCollector[38018]: [CmdScriptCollection] [info] [cmdscript:WrkUnit[4]payloadService:24261] [onLog:794] [azuremonitor.AzureLog ] [processing] [WorkUnit] [processing] 2020-09-01T12:51:03Z AzuremonitorCollector pump: partition 1, sequence_no -1
Sep 1 12:51:03 LogCollector NwLogCollector[38018]: [CmdScriptCollection] [info] [cmdscript:WrkUnit[4]payloadService:24261] [onLog:794] [azuremonitor.AzureLog ] [processing] [WorkUnit] [processing] 2020-09-01T12:51:03Z AzuremonitorCollector pump: partition 0, sequence_no -1
Sep 1 12:51:03 LogCollector NwLogCollector[38018]: [CmdScriptCollection] [info] [cmdscript:WrkUnit[4]payloadService:24261] [onLog:794] [azuremonitor.AzureLog ] [processing] [WorkUnit] [processing] 2020-09-01T12:51:03Z AzuremonitorCollector pump: partition 2, sequence_no -1
Sep 1 12:51:03 LogCollector NwLogCollector[38018]: [CmdScriptCollection] [failure] [cmdscript:WrkUnit[4]payloadService:24261] [onLog:800] [azuremonitor.AzureLogs] [processing] [WorkUnit] [processing] 2020-09-01T12:51:03Z AzuremonitorCollector Got exception in Partition Pump 2. Exception The specified partition is invalid for an EventHub partition sender or receiver. It should be between 0 and 1.Parameter name: PartitionId TrackingId:18604e09a7c44466946e423292631974_G17, SystemTracker:gateway5, Timestamp:2020-09-01T12:51:02com.microsoft:argument-out-of-range: The specified partition is invalid for an EventHub partition sender or receiver. It should be between 0 and 1.Parameter name: PartitionId TrackingId:18604e09a7c44466946e423292631974_G17, SystemTracker:gateway5, Timestamp:2020-09-01T12:51:02
Sep 1 12:51:03 LogCollector NwLogCollector[38018]: [CmdScriptCollection] [failure] [cmdscript:WrkUnit[4]payloadService:24261] [onLog:800] [azuremonitor.AzureLogs] [processing] [WorkUnit] [processing] 2020-09-01T12:51:03Z AzuremonitorCollector Aborting
Sep 1 12:51:03 LogCollector NwLogCollector[38018]: [CmdScriptCollection] [info] [cmdscript:WrkUnit[4]payloadService:24261] [onLog:794] [azuremonitor.AzureLog ] [processing] [WorkUnit] [processing] 2020-09-01T12:51:03Z AzuremonitorCollector pump: partition 1, sequence_no -1
Sep 1 12:51:03 LogCollector NwLogCollector[38018]: [CmdScriptCollection] [info] [cmdscript:WrkUnit[4]payloadService:24261] [onLog:794] [azuremonitor.AzureLog ] [processing] [WorkUnit] [processing] 2020-09-01T12:51:03Z AzuremonitorCollector pump: partition 0, sequence_no -1
Sep 1 12:51:03 LogCollector NwLogCollector[38018]: [CmdScriptCollection] [info] [cmdscript:WrkUnit[4]payloadService:24261] [onLog:794] [azuremonitor.AzureLog ] [processing] [WorkUnit] [processing] 2020-09-01T12:51:03Z AzuremonitorCollector pump: partition 2, sequence_no -1
Sep 1 12:51:03 LogCollector NwLogCollector[38018]: [CmdScriptCollection] [failure] [cmdscript:WrkUnit[4]payloadService:24261] [onLog:800] [azuremonitor.AzureLogs] [processing] [WorkUnit] [processing] 2020-09-01T12:51:03Z AzuremonitorCollector Got exception in Partition Pump 2. Exception The specified partition is invalid for an EventHub partition sender or receiver. It should be between 0 and 1.Parameter name: PartitionId TrackingId:18604e09a7c44466946e423292631974_G17, SystemTracker:gateway5, Timestamp:2020-09-01T12:51:02com.microsoft:argument-out-of-range: The specified partition is invalid for an EventHub partition sender or receiver. It should be between 0 and 1.Parameter name: PartitionId TrackingId:18604e09a7c44466946e423292631974_G17, SystemTracker:gateway5, Timestamp:2020-09-01T12:51:02
Sep 1 12:51:03 LogCollector NwLogCollector[38018]: [CmdScriptCollection] [failure] [cmdscript:WrkUnit[4]payloadService:24261] [onLog:800] [azuremonitor.AzureLogs] [processing] [WorkUnit] [processing] 2020-09-01T12:51:03Z AzuremonitorCollector Aborting
Cause
This issue is due to less number of partitions allocated for Event hub in Azure as below.
Resolution
Please follow the below steps to verify the Event hub partition details.- Please login to Azure Portal.
- On the Event Hubs Namespace page, select Event Hubs in the left menu.
- Right-hand side the list of event hubs that are created and Partition count will be shown as above.
It is required to have 4 partitions for Event Hub as documented in Azure Monitor Event Source Configuration Guide page 3.
- Please delete the Event hub with partition count 2 and Recreate Event hub with Partition count 4 and Message Retention 7 days using Quickstart: Create an event hub using Azure portal
- Once recreation of the event hub with correct partitions and all configuration as per the configuration guide done, Please test the connection in LogCollector for Azure Monitor instance and this test will be successful.
- Also, verify Azure monitor logs in the Investigate page.
Product Details
RSA Product Set: RSA NetWitness PlatformRSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.4.1.2
Platform: CentOS
O/S Version: 7
Summary
This document outlines the procedure to allocate valid partitions in EventHub and start Azure Monitor log collection.
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue