Azure ATP Sensor Log Errors

%3CLINGO-SUB%20id%3D%22lingo-sub-722036%22%20slang%3D%22en-US%22%3EAzure%20ATP%20Sensor%20Log%20Errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-722036%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20seeing%20to%20errors%20repeatedly%20in%20the%20Microsoft.Tri.Sensor-Errors.log%20file.%20We%20have%20the%20agent%20installed%20directly%20on%20the%20domain%20controllers.%26nbsp%3B%20Does%20anyone%20have%20insight%20into%20what%20these%20mean%20or%20how%20to%20resolve%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EError%201%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E2019-06-24%2012%3A15%3A56.4471%20Error%20EventLogException%20System.UnauthorizedAccessException%3A%20Attempted%20to%20perform%20an%20unauthorized%20operation.%3CBR%20%2F%3Eat%20void%20System.Diagnostics.Eventing.Reader.EventLogException.Throw(int%20errorCode)%3CBR%20%2F%3Eat%20EventLogHandle%20System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle%20session%2C%20SafeWaitHandle%20signalEvent%2C%20string%20path%2C%20string%20query%2C%20EventLogHandle%20bookmark%2C%20IntPtr%20context%2C%20IntPtr%20callback%2C%20int%20flags)%3CBR%20%2F%3Eat%20void%20System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()%3CBR%20%2F%3Eat%20Task%20Microsoft.Tri.Sensor.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync()%2B(KeyValuePair%3CSTRING%3E%20_)%20%3D%26gt%3B%20%7B%20%7D%3CBR%20%2F%3Eat%20void%20MoreLinq.MoreEnumerable.ForEach%3CT%3E(IEnumerable%3CT%3E%20source%2C%20Action%3CT%3E%20action)%3CBR%20%2F%3Eat%20async%20Task%20Microsoft.Tri.Sensor.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync()%3CBR%20%2F%3Eat%20async%20Task%20Microsoft.Tri.Infrastructure.Module.RunTaskAsync(Func%3CTASK%3E%20actionAsync%2C%20string%20name%2C%20SimpleTimeMetric%20timeMetric)%3CBR%20%2F%3Eat%20void%20Microsoft.Tri.Infrastructure.Module%2B%26lt%3B%26gt%3Bc__DisplayClass30_0%2B%26lt%3B%3CREGISTERPERIODICTASK%3Eb__1%26gt%3Bd.MoveNext()%3CBR%20%2F%3Eat%20void%20Microsoft.Tri.Infrastructure.TaskExtension%2B%26lt%3B%26gt%3Bc__DisplayClass22_0%2B%26lt%3B%3CRUNPERIODIC%3Eb__0%26gt%3Bd.MoveNext()%3C%2FRUNPERIODIC%3E%3C%2FREGISTERPERIODICTASK%3E%3C%2FTASK%3E%3C%2FT%3E%3C%2FT%3E%3C%2FT%3E%3C%2FSTRING%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EError%202%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E2019-06-24%2012%3A15%3A56.1975%20Error%20IpParser%20Error%20parsing%20datagram%3CBR%20%2F%3ESystem.OverflowException%3A%20Arithmetic%20operation%20resulted%20in%20an%20overflow.%3CBR%20%2F%3Eat%20void%20Microsoft.Tri.Sensor.IpParser.ParseVersion4(IpDatagram%20datagram%2C%20BufferSlice%20bufferSlice)%3CBR%20%2F%3Eat%20void%20Microsoft.Tri.Sensor.IpParser.Parse(DateTime%20frameTime%2C%20BufferSlice%20bufferSlice)%3CBR%20%2F%3Eat%20Microsoft.Tri.Sensor.ParsingOrchestrator(IBufferPool%20bufferPool%2C%20IConfigurationManager%20configurationManager%2C%20IEntityResolver%20entityResolver%2C%20IEntitySender%20entitySender%2C%20IMetricManager%20metricManager%2C%20INetworkAdaptersManager%20networkAdaptersManager%2C%20ISensorExceptionStatisticsManager%20sensorExceptionStatisticsManager%2C%20ISensorSecretManager%20sensorSecretManager)%2B(int%20parallelismIndex%2C%20Datagram%20datagram)%20%3D%26gt%3B%20%7B%20%7D%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-730104%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Sensor%20Log%20Errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-730104%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F140040%22%20target%3D%22_blank%22%3E%40Jerry%20Kiedrowski%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20first%20error%20you%20found%20says%20we%20fail%20to%20read%20the%20security%20log%2C%20probably%20due%20to%20permissions.%3C%2FP%3E%0A%3CP%3EDuring%20deployment%20we%20add%20read%20permissions%20to%20the%20log%2C%20looks%20like%20it%20either%20did%20not%20work%20or%20overridden%20later.%3C%2FP%3E%0A%3CP%3ETry%20to%20uninstall%20the%20Sensor%2C%20then%20reinstall%20(keep%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Ftroubleshooting-atp-using-logs%23azure-atp-deployment-logs%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Edeployment%20logs%3C%2FA%3E!%20)%20and%20see%20if%20it%20resolves%20the%20issue.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20the%20second%20case%2C%20if%20you%20have%20only%20few%20of%20these%20errors%2C%20you%20can%20ignore%20them%2C%26nbsp%3B%20if%20you%20have%20a%20lot%2C%20then%3A%3C%2FP%3E%0A%3CP%3EAre%20you%20running%20on%20vmware%3F%20if%20so%2C%20did%20you%20remember%20to%20disable%20TSO%20offload%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Senior Member

We are seeing to errors repeatedly in the Microsoft.Tri.Sensor-Errors.log file. We have the agent installed directly on the domain controllers.  Does anyone have insight into what these mean or how to resolve?

 

Error 1:

2019-06-24 12:15:56.4471 Error EventLogException System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
at void System.Diagnostics.Eventing.Reader.EventLogException.Throw(int errorCode)
at EventLogHandle System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, string path, string query, EventLogHandle bookmark, IntPtr context, IntPtr callback, int flags)
at void System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
at Task Microsoft.Tri.Sensor.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync()+(KeyValuePair<string, EventLogWatcher> _) => { }
at void MoreLinq.MoreEnumerable.ForEach<T>(IEnumerable<T> source, Action<T> action)
at async Task Microsoft.Tri.Sensor.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync()
at async Task Microsoft.Tri.Infrastructure.Module.RunTaskAsync(Func<Task> actionAsync, string name, SimpleTimeMetric timeMetric)
at void Microsoft.Tri.Infrastructure.Module+<>c__DisplayClass30_0+<<RegisterPeriodicTask>b__1>d.MoveNext()
at void Microsoft.Tri.Infrastructure.TaskExtension+<>c__DisplayClass22_0+<<RunPeriodic>b__0>d.MoveNext()

 

Error 2:

2019-06-24 12:15:56.1975 Error IpParser Error parsing datagram
System.OverflowException: Arithmetic operation resulted in an overflow.
at void Microsoft.Tri.Sensor.IpParser.ParseVersion4(IpDatagram datagram, BufferSlice bufferSlice)
at void Microsoft.Tri.Sensor.IpParser.Parse(DateTime frameTime, BufferSlice bufferSlice)
at Microsoft.Tri.Sensor.ParsingOrchestrator(IBufferPool bufferPool, IConfigurationManager configurationManager, IEntityResolver entityResolver, IEntitySender entitySender, IMetricManager metricManager, INetworkAdaptersManager networkAdaptersManager, ISensorExceptionStatisticsManager sensorExceptionStatisticsManager, ISensorSecretManager sensorSecretManager)+(int parallelismIndex, Datagram datagram) => { }

1 Reply
Highlighted

@Jerry Kiedrowski 

The first error you found says we fail to read the security log, probably due to permissions.

During deployment we add read permissions to the log, looks like it either did not work or overridden later.

Try to uninstall the Sensor, then reinstall (keep the deployment logs! ) and see if it resolves the issue.

 

For the second case, if you have only few of these errors, you can ignore them,  if you have a lot, then:

Are you running on vmware? if so, did you remember to disable TSO offload?