Open fa-clavis opened 1 month ago
Hello team, Any updates regarding this issue?
Hey @fa-clavis, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!
Hello @v-sudkharat, any updates regarding this issue?
Hey @fa-clavis, We are checking the function code for duplicate ingestion of data, just want to know, it's possible to you to share OCI demo account with us? so we can check our changes. Or please let us also know if you have any test workspace into your environment where you can test our change. Thanks!
Hello @v-sudkharat , I talked with the client here, and they don't have a test environment available for OCI, however, they prefer to do the troubleshooting in a quick meet. Is there any way we can schedule this meeting through e-mail or Teams?
Hi @fa-clavis, let us check with our team to validate some changes, which required the OCI env. once it gets validated will update you. Thanks!
Hello @v-sudkharat, great news! Hope it gets fixed ASAP!
Hi @fa-clavis, Could you please share few events generated with same id_g with us via a mail - v-sudkharat@microsoft.com to understand the duplication of data in each event.
Hi @fa-clavis, Just want to check with you, Is there any multiple function app deployed into the environment and point towards the same workspace?
@fa-clavis, Waiting for your response on above comment, so based on that we can reach out to respective team. Thanks!
Hi @fa-clavis, Any response for us?
Hello @v-sudkharat, sorry for the delay. No, there is only 1 function app which is now in the "stopped" status.
@fa-clavis, thank you for the update, we are connecting with our concern data connector team for this issue, we will keep you updated. Thanks!
Describe the bug Hello team,
When I was going to model and create some analytics rules for a client, I noticed that there were multiple logs with the same "id_g" field populated into the OCI_Logs_CL table.
This "id_g" field (in OCI logs it's the eventID) is the unique identifier for which every alert receives, so there shouldn't be multiple logs with the same ID in Sentinel. Source: https://docs.oracle.com/en-us/iaas/Content/Audit/Reference/logeventreference.htm
I have installed the default Azure Functions with the ARM template, while I have crosschecked multiple eventIDs in the OCI audit logs, I'm not sure why the same log is being populated 2,3,5, 30 times or more.
See the attached screenshots to understand the issue better.
P.S. I suspected something was odd with the connector because the amount of logs that's being ingested because the amount of logs that are produced in OCI is much less than the client's AWS environment.
To Reproduce Steps to reproduce the behavior:
Expected behavior The expected behavior is to ingest each eventID once and not multiple times.
Screenshots
Additional context
To install and configure the data connector, I used the following resources:
While the log is unique within the Audit Log service, I strongly believe there is something wrong with the Function App or the Python script where the cursor isn't being set up correctly as it pages through the logs.
I believe the problem is somewhere near this line in the main.py file: https://github.com/Azure/Azure-Sentinel/blob/296f272801f36b1945cc2b921d1ec55746617ac4/Solutions/Oracle%20Cloud%20Infrastructure/Data%20Connectors/AzureFunctionOCILogs/main.py#L131