000038279 - RSA NetWitness Azure Collection failing due to beyond 90 days old bookmark

Document created by RSA Customer Support Employee on Dec 31, 2019Last modified by RSA Customer Support Employee on May 22, 2020
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000038279
Applies ToRSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7
IssueAzure log collection fails with the below errors.

Dec  4 12:52:44 LCollector NwLogCollector[6907]: [CmdScriptCollection] [failure] [cmdscript:WrkUnit[2]payloadService:19661] [onLog:800] [azureaudit.AzurePortalLogs] [processing] [WorkUnit] [processing] 2019-12-04T12:52:44Z AzureAuditCollector Azure Resource API call failed with HTTPError, response: {"Code":"BadRequest","Message":"The start time cannot be more than 90 days in the past."}
Dec 4 16:03:08 LCollector NwLogCollector[6907]: [CmdScriptCollection] [failure] [cmdscript:WrkUnit[1]payloadService:28326] [onLog:800] [azure_ad_signin.AzurePortalAdSignin] [processing] [WorkUnit] [processing] 2019-12-04T16:03:08Z AzureADCollector Azure AD signin API call failed with response: {"error":{"code":"","message":"Specified argument was out of the range of valid values.\r\nParameter name: Minimum allowed time for signinDateTime is 9/2/2019 12:00:00 AM"}}

CauseThis issue is due to the old bookmark (last collected time) for logs is beyond 90 days. This can be verified by checking the below files.

cat /var/netwitness/logcollector/runtime/cmdscript/eventsources/azureaudit.AzurePortalLogs.xml
<?xml version="1.0" encoding="utf-8"?>
<ptime>2019-Dec-04 16:00:20.677156</ptime>



Note: Editing this file would not be recommended.

ResolutionFollow the below steps to get the azure logs again.
  1. Login to NetWitness GUI and go to Logcollector->Config->Event Sources
  2. Select Plugins from the drop-down and choose Config.
  3. Select azureaudit in Event Categories and Edit the existing configuration in the Sources page to disable the configuration by clearing Enabled checkbox as below.
  4. Re-add the configuration with the new name in Name field and keep all settings as old configuration and do test connection. That should give passed.
    Note: Start Date can be <90 days that is maximum value 89.
    Note: For Azure ad signin, Start Date can be 0-29.
  5. Verify the latest azure logs by going to Investigate->Navigate page.
For more details on Azure Configuration, Please use Azure Event Source Configuration Guide