search

microsoft / AzureMonitorAddonForSplunk

A Splunk add-on (aka modular input) that brings Metrics and Diagnostic Logs from various Azure ARM resources and the subscription-wide Activity Log (aka Audit Log) to Splunk Enterprise.
Other
63 stars 45 forks source link

TypeError: Cannot read property 'write' of null (frames.js:64:9) #118

Closed 1trevor closed 5 years ago

1trevor commented 5 years ago

I'm receiving this error in the splunkd log every minute. No data is being ingested. I have double-checked the configuration in Azure and Splunk multiple times. Any idea what could be causing this?

ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-Azure_Monitor/bin/azure_activity_log.sh"
TypeError: Cannot read property 'write' of null
    at Object.frames.writeFrame (/opt/splunk/etc/apps/TA-Azure_Monitor/bin/app/node_modules/amqp10/lib/frames.js:64:9)
    at Connection.sendFrame (/opt/splunk/etc/apps/TA-Azure_Monitor/bin/app/node_modules/amqp10/lib/connection.js:329:10)
    at Connection.sendFrame (/opt/splunk/etc/apps/TA-Azure_Monitor/bin/app/node_modules/amqp10/lib/connection.js:329:10)
    at Timeout._onTimeout (/opt/splunk/etc/apps/TA-Azure_Monitor/bin/app/node_modules/amqp10/lib/link.js:270:12)
    at ontimeout (timers.js:386:11)
    at tryOnTimeout (timers.js:250:5)
    at Timer.listOnTimeout (timers.js:214:5)
sebastus commented 5 years ago

Remove from hubs.json any hub that does not exist in the namespace.

On Thu, Jan 24, 2019, 7:56 PM Trevor <notifications@github.com wrote:

I'm receiving this error in the splunkd log every minute. No data is being ingested. I have double-checked the configuration in Azure and Splunk multiple times. Any idea what could be causing this?

TypeError: Cannot read property 'write' of null at Object.frames.writeFrame (/opt/splunk/etc/apps/TA-Azure_Monitor/bin/app/node_modules/amqp10/lib/frames.js:64:9) at Connection.sendFrame (/opt/splunk/etc/apps/TA-Azure_Monitor/bin/app/node_modules/amqp10/lib/connection.js:329:10) at Connection.sendFrame (/opt/splunk/etc/apps/TA-Azure_Monitor/bin/app/node_modules/amqp10/lib/connection.js:329:10) at Timeout._onTimeout (/opt/splunk/etc/apps/TA-Azure_Monitor/bin/app/node_modules/amqp10/lib/link.js:270:12) at ontimeout (timers.js:386:11) at tryOnTimeout (timers.js:250:5) at Timer.listOnTimeout (timers.js:214:5)

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Microsoft/AzureMonitorAddonForSplunk/issues/118, or mute the thread https://github.com/notifications/unsubscribe-auth/ABOrrFceVt4FNbFCYZM8mK00YUxb1xQwks5vGg_VgaJpZM4aRmfO .

1trevor commented 5 years ago

This is what I see in hubs.json. Are these all supposed to be event hub names? Where did this list come from? I don't have any of these event hubs.

{
    "insights-logs-workflowruntime": "workflowId",
    "insights-logs-networksecuritygrouprulecounter": "resourceId",
    "insights-logs-networksecuritygroupevent": "resourceId",
    "insights-logs-applicationgatewayaccesslog": "resourceId",
    "insights-logs-applicationgatewayperformancelog": "resourceId",
    "insights-logs-applicationgatewayfirewalllog": "resourceId",
    "insights-logs-loadbalanceralertevent": "resourceId",
    "insights-logs-loadbalancerprobehealthstatus": "resourceId",
    "insights-logs-auditevent": "resourceId",
    "insights-logs-servicelog": "resourceId",
    "insights-logs-integrationaccounttrackingevents": "resourceId",
    "insights-logs-joblogs": "resourceId",
    "insights-logs-jobstreams": "resourceId",
    "insights-logs-audit": "resourceId",
    "insights-logs-signin": "resourceId",
    "insights-logs-signinlogs": "resourceId",
    "insights-logs-requests": "resourceId",
    "insights-logs-requestlogs": "resourceId",
    "insights-logs-operationallogs": "resourceId",
    "insights-logs-execution": "resourceId",
    "insights-logs-authoring": "resourceId",
    "insights-logs-alerts": "resourceId"
}
sebastus commented 5 years ago

They are a default set. I learned recently that only existing hubs should be in the file. Do you know how to get that list?

On Thu, Jan 24, 2019, 8:54 PM Trevor <notifications@github.com wrote:

This is what I see in hubs.json. Are these all supposed to be event hub names? Where did this list come from? I don't have any of these event hubs.

{ "insights-logs-workflowruntime": "workflowId", "insights-logs-networksecuritygrouprulecounter": "resourceId", "insights-logs-networksecuritygroupevent": "resourceId", "insights-logs-applicationgatewayaccesslog": "resourceId", "insights-logs-applicationgatewayperformancelog": "resourceId", "insights-logs-applicationgatewayfirewalllog": "resourceId", "insights-logs-loadbalanceralertevent": "resourceId", "insights-logs-loadbalancerprobehealthstatus": "resourceId", "insights-logs-auditevent": "resourceId", "insights-logs-servicelog": "resourceId", "insights-logs-integrationaccounttrackingevents": "resourceId", "insights-logs-joblogs": "resourceId", "insights-logs-jobstreams": "resourceId", "insights-logs-audit": "resourceId", "insights-logs-signin": "resourceId", "insights-logs-signinlogs": "resourceId", "insights-logs-requests": "resourceId", "insights-logs-requestlogs": "resourceId", "insights-logs-operationallogs": "resourceId", "insights-logs-execution": "resourceId", "insights-logs-authoring": "resourceId", "insights-logs-alerts": "resourceId" }

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Microsoft/AzureMonitorAddonForSplunk/issues/118#issuecomment-457352664, or mute the thread https://github.com/notifications/unsubscribe-auth/ABOrrFLhq_i1HnRcjAOKnvfG1sxefoo3ks5vGh2LgaJpZM4aRmfO .

1trevor commented 5 years ago

So I changed it to this but I still get the same error. Do I have the format correct? The value should always be "resourceId"? I noticed the first one in the default list is "workflowId"

{
    "insights-logs-auditlogs": "resourceId",
    "insights-logs-signinlogs": "resourceId"
}
sebastus commented 5 years ago

It looks fine. Do both hubs have 4 partitions?

On Thu, Jan 24, 2019, 9:09 PM Trevor <notifications@github.com wrote:

So I changed it to this but I still get the same error. Do I have the format correct? The value should always be "resourceId"? I noticed the first one in the default list is "workflowId"

{ "insights-logs-auditlogs": "resourceId", "insights-logs-signinlogs": "resourceId" }

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Microsoft/AzureMonitorAddonForSplunk/issues/118#issuecomment-457357428, or mute the thread https://github.com/notifications/unsubscribe-auth/ABOrrOznKqrabcC3I02Z9__dUKzNZVZ5ks5vGiD-gaJpZM4aRmfO .

1trevor commented 5 years ago

Yes they do.

I also see in the debug logs that it's trying to access a hub called insights-operational-logs, which is hardcoded in bin/app/azure_monitor_logs.js:514

Should I create a hub with that name?

sebastus commented 5 years ago

That sounds like activity log. Did you set them to export?

On Thu, Jan 24, 2019, 9:50 PM Trevor <notifications@github.com wrote:

Yes they do.

I also see in the debug logs that it's trying to access a hub called insights-operational-logs, which is hardcoded in bin/app/azure_monitor_logs.js:514

Should I create a hub with that name?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Microsoft/AzureMonitorAddonForSplunk/issues/118#issuecomment-457370836, or mute the thread https://github.com/notifications/unsubscribe-auth/ABOrrN9yIzmAPLnqd57CRslST4NAgM3gks5vGiqLgaJpZM4aRmfO .

1trevor commented 5 years ago

I set the Azure Active Directory Activity logs to export, which created 2 event hubs - insights-logs-auditlogs and insights-logs-signinlogs. Those are the only things I'm trying to ingest at the moment.

sebastus commented 5 years ago

How many data inputs did you configure?

On Thu, Jan 24, 2019, 10:01 PM Trevor <notifications@github.com wrote:

I set the Azure Active Directory Activity logs to export, which created 2 event hubs - insights-logs-auditlogs and insights-logs-signinlogs. Those are the only things I'm trying to ingest at the moment.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Microsoft/AzureMonitorAddonForSplunk/issues/118#issuecomment-457374457, or mute the thread https://github.com/notifications/unsubscribe-auth/ABOrrC7R7sh6GBdzxmGvfS4uJaEQw-61ks5vGi1FgaJpZM4aRmfO .

1trevor commented 5 years ago

Just the one for Activity log. I just configured the same settings under diagnostic logs and it's working now. The issue is resolved.

Is there any documentation that explains the difference between the Activity/Diagnostic/Metrics inputs and when to use each one?

sebastus commented 5 years ago

I'm pretty sure the wiki explains it. I'll answer more fully tomorrow. I'm in Britain. Bedtime. 😴

On Thu, Jan 24, 2019, 10:12 PM Trevor <notifications@github.com wrote:

Just the one for Activity log. I just configured the same settings under diagnostic logs and it's working now. The issue is resolved.

Is there any documentation that explains the difference between the Activity/Diagnostic/Metrics inputs and when to use each one?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Microsoft/AzureMonitorAddonForSplunk/issues/118#issuecomment-457377830, or mute the thread https://github.com/notifications/unsubscribe-auth/ABOrrPXhUcSKH3fVxAZNwXiMzTzAkOcFks5vGi_ggaJpZM4aRmfO .