while trying to ingest the logs from log analytics getting below error
ERROR pid=40806 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/modinput_wrapper/base_modinput.py", line 127, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/log_analytics.py", line 96, in collect_events input_module.collect_events(self, ew) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/input_module_log_analytics.py", line 72, in collect_events response = requests.post(uri,json=search_params,headers=headers) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/api.py", line 110, in post return request('post', url, data=data, json=json, **kwargs) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/api.py", line 56, in request return session.request(method=method, url=url, **kwargs) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/sessions.py", line 488, in request resp = self.send(prep, **send_kwargs) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/sessions.py", line 609, in send r = adapter.send(request, **kwargs) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/adapters.py", line 473, in send raise ConnectionError(err, request=request) ConnectionError: ('Connection aborted.', error(104, 'Connection reset by peer'))
TA version is 1.0.3
The error indicates an authentication failure attempt. The API 104 error code is equivalent to HTTP error code 401. Looks like the credentials might be wrong. Could you double check them, put in the fresh ones and try again.
##If it helps, kindly consider an upvote/accepting the answer##
Hi @shivanshu1593 ,
After changing the application key also getting the same error
2022-05-24 11:09:58,455 ERROR pid=35614 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/modinput_wrapper/base_modinput.py", line 127, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/log_analytics.py", line 96, in collect_events input_module.collect_events(self, ew) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/input_module_log_analytics.py", line 72, in collect_events response = requests.post(uri,json=search_params,headers=headers) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/api.py", line 110, in post return request('post', url, data=data, json=json, **kwargs) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/api.py", line 56, in request return session.request(method=method, url=url, **kwargs) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/sessions.py", line 488, in request resp = self.send(prep, **send_kwargs) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/sessions.py", line 609, in send r = adapter.send(request, **kwargs) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/adapters.py", line 473, in send raise ConnectionError(err, request=request) ConnectionError: ('Connection aborted.', error(104, 'Connection reset by peer'))
@jkat54 Can you help me here.
For some reason, the entity that you're trying to connect is rejecting the authentication attempt due to invalid credentials (API error code 104 at the last line of the error log indicates the same). The error code also indicates that you're trying to post the data to the endpoint. Does your user have enough privileges to perform the operation? Does the endpoint that you're connecting accept the incoming data or requires the authentication header in a very specific format? The add-on seems to be working as expected as it connects with the endpoint to post the data, its the entity which is rejecting the authentication attempt.
I agree! Nicely explained!
Still its not working guys. any idea
Which steps did you take to try to fix? Your reply is too vague for me to help.
added the new secret and verified the access on microsoft side but no luck.
What error message are you getting now?
2022-10-31 09:41:14,147 ERROR pid=14783 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-ms-log**bleep**ytics/bin/ta_ms_log**bleep**ytics/modinput_wrapper/base_modinput.py", line 127, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA-ms-log**bleep**ytics/bin/log_**bleep**ytics.py", line 96, in collect_events input_module.collect_events(self, ew) File "/opt/splunk/etc/apps/TA-ms-log**bleep**ytics/bin/input_module_log_**bleep**ytics.py", line 72, in collect_events response = requests.post(uri,json=search_params,headers=headers) File "/opt/splunk/etc/apps/TA-ms-log**bleep**ytics/bin/ta_ms_log**bleep**ytics/requests/api.py", line 110, in post return request('post', url, data=data, json=json, **kwargs) File "/opt/splunk/etc/apps/TA-ms-log**bleep**ytics/bin/ta_ms_log**bleep**ytics/requests/api.py", line 56, in request return session.request(method=method, url=url, **kwargs) File "/opt/splunk/etc/apps/TA-ms-log**bleep**ytics/bin/ta_ms_log**bleep**ytics/requests/sessions.py", line 488, in request resp = self.send(prep, **send_kwargs) File "/opt/splunk/etc/apps/TA-ms-log**bleep**ytics/bin/ta_ms_log**bleep**ytics/requests/sessions.py", line 609, in send r = adapter.send(request, **kwargs) File "/opt/splunk/etc/apps/TA-ms-log**bleep**ytics/bin/ta_ms_log**bleep**ytics/requests/adapters.py", line 473, in send raise ConnectionError(err, request=request) ConnectionError: ('Connection aborted.', error(104, 'Connection reset by peer'))