Sensor failing to install on all DCs

%3CLINGO-SUB%20id%3D%22lingo-sub-2689577%22%20slang%3D%22en-US%22%3ESensor%20failing%20to%20install%20on%20all%20DCs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2689577%22%20slang%3D%22en-US%22%3E%3CP%3EHas%20anyone%20seen%20any%20of%20these%20errors%3F%26nbsp%3B%20Trying%20to%20install%20the%20sensor%2C%20but%20it%20is%20failing%20on%20both%20VMWare%20and%20HyperV%20DC.%26nbsp%3B%20.NET%204.8%20is%20installed%20and%20it%20doesn't%20matter%20if%20NPCap%20is%20installed%20or%20not.%26nbsp%3B%20Traffic%20appears%20to%20be%20getting%20through%20the%20firewall.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E2021-08-26%2018%3A53%3A48.8640%20Error%20EventLogException%20Deployer%20failed%20%5Barguments%3DIwODjlqAqQaXxJYpF4fBCw%3D%3D%5D%3CBR%20%2F%3ESystem.Diagnostics.Eventing.Reader.EventLogInvalidDataException%3A%20The%20data%20is%20invalid%3CBR%20%2F%3Eat%20void%20System.Diagnostics.Eventing.Reader.EventLogException.Throw(int%20errorCode)%3CBR%20%2F%3Eat%20void%20System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSaveChannelConfig(EventLogHandle%20channelConfig%2C%20int%20flags)%3CBR%20%2F%3Eat%20bool%20Microsoft.Tri.Sensor.Deployment.Deployer.ConfigureVirtualServiceAccountAction.ApplyInternal()%3CBR%20%2F%3Eat%20void%20Microsoft.Tri.Sensor.Common.DeploymentAction.Apply(bool%20suppressFailure)%3CBR%20%2F%3Eat%20void%20Microsoft.Tri.Sensor.Common.DeploymentActionGroup.Apply(bool%20suppressFailure)%3CBR%20%2F%3Eat%20int%20Microsoft.Tri.Sensor.Deployment.Deployer.Program.Main(string%5B%5D%20commandLineArguments)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%5B0F20%3A18C0%5D%5B2021-08-26T11%3A53%3A50%5De000%3A%20Error%200x80070643%3A%20Failed%20to%20configure%20per-machine%20MSI%20package.%3CBR%20%2F%3E%5B0F20%3A18C0%5D%5B2021-08-26T11%3A53%3A50%5Di000%3A%202021-08-26%2018%3A53%3A50.1290%20Error%20Model%20LogError%20%5B%5C%5B%5DmethodName%3DBootstrapperApplication_ExecutePackageComplete%20status%3D-2147023293%20exception%3D%5B%5C%5D%5D%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMSI%20(s)%20(54%3A8C)%20%5B11%3A53%3A49%3A943%5D%3A%20Windows%20Installer%20installed%20the%20product.%20Product%20Name%3A%20Azure%20Advanced%20Threat%20Protection%20Sensor.%20Product%20Version%3A%202.0.0.0.%20Product%20Language%3A%201033.%20Manufacturer%3A%20Microsoft%20Corporation.%20Installation%20success%20or%20error%20status%3A%201603.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2690082%22%20slang%3D%22en-US%22%3ERe%3A%20Sensor%20failing%20to%20install%20on%20all%20DCs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2690082%22%20slang%3D%22en-US%22%3EThe%20deployment%20fails%20when%20it%20tries%20to%20give%20the%20sensor%20read%20access%20to%20read%20logs%20from%20the%20local%20security%20event%20log%2C%20either%20there%20is%20a%20corruption%20or%20the%20machien%20was%20hardened%20to%20block%20it...%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2690108%22%20slang%3D%22en-US%22%3ERe%3A%20Sensor%20failing%20to%20install%20on%20all%20DCs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2690108%22%20slang%3D%22en-US%22%3EThe%20server%20has%20been%20hardened%20so%20what%20do%20I%20need%20to%20give%20access%20to%20the%20read%20logs%3F%20Would%20that%20be%20the%20gMSA%20that%20we%20setup%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2690284%22%20slang%3D%22en-US%22%3ERe%3A%20Sensor%20failing%20to%20install%20on%20all%20DCs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2690284%22%20slang%3D%22en-US%22%3ENo%2C%3CBR%20%2F%3EThe%20deployment%20needs%20permissions%20to%20modify%20the%20ACL%20on%20this%20log.%3CBR%20%2F%3ETry%20to%20give%20modify%20ACL%20permissions%20to%20the%20account%20running%20the%20deployment.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Microsoft

Has anyone seen any of these errors?  Trying to install the sensor, but it is failing on both VMWare and HyperV DC.  .NET 4.8 is installed and it doesn't matter if NPCap is installed or not.  Traffic appears to be getting through the firewall.

 

2021-08-26 18:53:48.8640 Error EventLogException Deployer failed [arguments=IwODjlqAqQaXxJYpF4fBCw==]
System.Diagnostics.Eventing.Reader.EventLogInvalidDataException: The data is invalid
at void System.Diagnostics.Eventing.Reader.EventLogException.Throw(int errorCode)
at void System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSaveChannelConfig(EventLogHandle channelConfig, int flags)
at bool Microsoft.Tri.Sensor.Deployment.Deployer.ConfigureVirtualServiceAccountAction.ApplyInternal()
at void Microsoft.Tri.Sensor.Common.DeploymentAction.Apply(bool suppressFailure)
at void Microsoft.Tri.Sensor.Common.DeploymentActionGroup.Apply(bool suppressFailure)
at int Microsoft.Tri.Sensor.Deployment.Deployer.Program.Main(string[] commandLineArguments)

 

[0F20:18C0][2021-08-26T11:53:50]e000: Error 0x80070643: Failed to configure per-machine MSI package.
[0F20:18C0][2021-08-26T11:53:50]i000: 2021-08-26 18:53:50.1290 Error Model LogError [\[]methodName=BootstrapperApplication_ExecutePackageComplete status=-2147023293 exception=[\]]

 

MSI (s) (54:8C) [11:53:49:943]: Windows Installer installed the product. Product Name: Azure Advanced Threat Protection Sensor. Product Version: 2.0.0.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603.

3 Replies
The deployment fails when it tries to give the sensor read access to read logs from the local security event log, either there is a corruption or the machien was hardened to block it...
The server has been hardened so what do I need to give access to the read logs? Would that be the gMSA that we setup?
No,
The deployment needs permissions to modify the ACL on this log.
Try to give modify ACL permissions to the account running the deployment.