Duplicate logs with GitHub API data ingestions #11404
Comments
|
I have already looked into issue # #9356, but the solution offered has not helped because I am already using an org.json file with the new structure and do not see any rate limits. |
|
Hi @l-koppuravuri-BL , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks! |
|
@l-koppuravuri-BL, you are using this data connector to pull the data ? - https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GithubFunction And Is there any other connector configured and pointing out to the same workspace? |
|
@v-sudkharat No additional connectors are configured on this workspace. |
|
In the logic app step where you have the API url, were you able to specific the time interval and format (start and end time, some might want ISO format) based on Github documentation on how the API should be used? |
|
@l-koppuravuri-BL, Could you please confirm this connector has been configured - https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GithubFunction Or please let us know if any logic app has been set into env mentioned in above comment. Thanks! |
|
@v-sudkharat We have set up connectors based on both logic apps and function apps, and we have observed that they behave in the same way. Since both connectors report to distinct log analytics workspaces, there should not be any conflicts or duplicate logs. @onyigbo : I am not sure to whom you are addressing the time interval question, but I have not set it up that way and did not notice any input parameters during deployment. Image |
|
Hey @l-koppuravuri-BL,
are ingesting the GitHub audit logs via a - GraphQL ( https://developer.github.com/v4/interface/auditentry/ ) So, as you have configured both, it will uses the same table " And, if both the logic app and function app are configured into different Workspace, you can verify the different workspace ID, and KEY has been entered while pre-deployment:
For Logic app you can check in deployed
If both the values are same, then it's ingesting the data into same workspace which cause the duplicates. Thanks! |
|
Hello @v-sudkharat As shared earlier, we have configured function app and logic app solutions on distinct log analytics workspaces. In fact, initially we tried with a logic app-based solution and then deployed a function app-based solution after nearly 2 months, as we see duplicate logs. Function App logic app
|
|
@l-koppuravuri-BL, Thanks for clarify the details, we will check on the Function App and get back you. |
|
@v-sudkharat : I want to check if you have any further updates. If you like, we can also setup a meeting and go through the configuration. |
|
@l-koppuravuri-BL, was on leave need some more time to investigate on it and checking with the concern team, once we get done, if required we can schedule meeting. Thanks for the co-operation. |
|
@l-koppuravuri-BL, Could you please send the
In mail ID - [email protected] Tagging connector authors for visibility - @dicolanl / @sreedharande Thanks! |
|
@v-sudkharat : sent both files. |
|
@l-koppuravuri-BL , Please share the GitHub_CL log. You can send the recent 24 hr one |
Describe the bug
We tried using function apps and logic apps to ingest GitHub data to Sentinel, and we found that both solutions were producing duplicate data. We wanted to make sure before looking into the code to see if this was a known problem or if there were any imitations.
To Reproduce
Steps to reproduce the behavior:
1As mentioned in the documentation, deployed solutions and updated orgs , lastjobruntime.json files. jobs running with default schedule of 10 minutes.
Expected behavior
should not see the duplicate logs.
Screenshots
The text was updated successfully, but these errors were encountered: