Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000039290 - RSA NetWitness Azure Monitor collection is not starting due to invalid partition count for EventHub

Document created by RSA Customer Support

on Sep 17, 2020

Version 1Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000039290
Applies To	RSA Product Set: RSA NetWitness Platform RSA Product/Service Type: Core Appliance RSA Version/Condition: 11.4.1.2 Platform: CentOS O/S Version: 7
Issue	Azure Monitor Collection configured using Azure Monitor Event Source Configuration Guide and Test connection failing with below error in messages. /var/log/messages: Sep 1 12:51:03 LogCollector NwLogCollector[38018]: [CmdScriptCollection] [info] [cmdscript:WrkUnit[4]payloadService:24261] [onLog:794] [azuremonitor.AzureLog ] [processing] [WorkUnit] [processing] 2020-09-01T12:51:01Z AzuremonitorCollector Starting events loop Sep 1 12:51:03 LogCollector NwLogCollector[38018]: [CmdScriptCollection] [info] [cmdscript:WrkUnit[4]payloadService:24261] [onLog:794] [azuremonitor.AzureLog ] [processing] [WorkUnit] [processing] 2020-09-01T12:51:03Z AzuremonitorCollector pump: partition 1, sequence_no -1 Sep 1 12:51:03 LogCollector NwLogCollector[38018]: [CmdScriptCollection] [info] [cmdscript:WrkUnit[4]payloadService:24261] [onLog:794] [azuremonitor.AzureLog ] [processing] [WorkUnit] [processing] 2020-09-01T12:51:03Z AzuremonitorCollector pump: partition 0, sequence_no -1 Sep 1 12:51:03 LogCollector NwLogCollector[38018]: [CmdScriptCollection] [info] [cmdscript:WrkUnit[4]payloadService:24261] [onLog:794] [azuremonitor.AzureLog ] [processing] [WorkUnit] [processing] 2020-09-01T12:51:03Z AzuremonitorCollector pump: partition 2, sequence_no -1 Sep 1 12:51:03 LogCollector NwLogCollector[38018]: [CmdScriptCollection] [failure] [cmdscript:WrkUnit[4]payloadService:24261] [onLog:800] [azuremonitor.AzureLogs] [processing] [WorkUnit] [processing] 2020-09-01T12:51:03Z AzuremonitorCollector Got exception in Partition Pump 2. Exception The specified partition is invalid for an EventHub partition sender or receiver. It should be between 0 and 1.Parameter name: PartitionId TrackingId:18604e09a7c44466946e423292631974_G17, SystemTracker:gateway5, Timestamp:2020-09-01T12:51:02com.microsoft:argument-out-of-range: The specified partition is invalid for an EventHub partition sender or receiver. It should be between 0 and 1.Parameter name: PartitionId TrackingId:18604e09a7c44466946e423292631974_G17, SystemTracker:gateway5, Timestamp:2020-09-01T12:51:02 Sep 1 12:51:03 LogCollector NwLogCollector[38018]: [CmdScriptCollection] [failure] [cmdscript:WrkUnit[4]payloadService:24261] [onLog:800] [azuremonitor.AzureLogs] [processing] [WorkUnit] [processing] 2020-09-01T12:51:03Z AzuremonitorCollector Aborting
Cause	This issue is due to less number of partitions allocated for Event hub in Azure as below.
Resolution	Please follow the below steps to verify the Event hub partition details. Please login to Azure Portal. On the Event Hubs Namespace page, select Event Hubs in the left menu. Right-hand side the list of event hubs that are created and Partition count will be shown as above. It is required to have 4 partitions for Event Hub as documented in Azure Monitor Event Source Configuration Guide page 3. Please delete the Event hub with partition count 2 and Recreate Event hub with Partition count 4 and Message Retention 7 days using Quickstart: Create an event hub using Azure portal Once recreation of the event hub with correct partitions and all configuration as per the configuration guide done, Please test the connection in LogCollector for Azure Monitor instance and this test will be successful. Also, verify Azure monitor logs in the Investigate page.

Attachments

Outcomes

0 Comments

Recommended Content