Manually ASIM Deployment - Failed to validate, Conflict #8623
Comments
|
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
|
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
|
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
|
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
|
Hi @rcegan, we are checking on this and we will provide an update soon. |
|
Hi @rcegan, waiting for update from concerned team, once we receive an update will let you know. |
1 similar comment
|
Hi @rcegan, waiting for update from concerned team, once we receive an update will let you know. |
|
Hi @rcegan, we are still waiting for update from concerned team, we will get back to you once there is an update. |
1 similar comment
|
Hi @rcegan, we are still waiting for update from concerned team, we will get back to you once there is an update. |
|
I was able to work around the problem by deploying the resources to a different location than the log analytics workspace itself. Solves my issue but I suspect that's probably not the intended behaviour |
According to the error message, it is working as expected. Try deleting the previous one and installing in the same location, it should work fine. |
|
@rcegan thanks for raising this issue. Can you please share the location details where it failed and where it worked for you? |
|
I was working with Australia Southeast and Australia East. Deploying to Australia Southeast, with the log analytics workspace in the same location, the deployment failed (due to a resource already existing in that location - the workspace itself). Picking a different location (Australia East) it appeared to work fine. |
|
Hi, This behavior is as expected due to the following reason. Because the ASIM parsers already exists, this will result in an error as described above. There are 2 workarounds to remediate this issue:
It is more an issue related to Log Analytics than Microsoft Sentinel or ASIM as they are dependent on Log Analytics. What I can do is create a PowerShell script that updates the ASIM parsers is they already exists and use the ASIM yaml files as input. Or create and ARM template that uses a Script Extension to run the PowerShell script in a different context. This might need some extra permissions in the Azure Subscription / Resource Group but need to validate this first. |
|
@rcegan I created a new workspace, deployed Process Event parsers multiple times on same workspace. I didn't got that error. Am I missing anything that you tried? Which schema parser you were trying to deploy. Can you please retry on a new and on the same workspace you previously tried, see if you are still getting that error? |
|
Hi @rcegan, Gentle Reminder: We are awaiting for your response on this issue. If you still need to keep this issue active please respond on it in the next 2 days. If we don't receive response, we will be close this issue. |
|
Sorry to add to the noise, but I'm having the exact same problem. Tried deploying all ASIM parsers and then just one-by-one, same error message "Conflict"
I've tried putting the LAW in Australia Southeast and the LAW in Australia East, and also putting them in the same region, no difference to the output. Drilling into the error message isn't any more help, just states eTAG for specific error was outdated newer data exists. If you are using eTag please use the latest one and try again in a few minutes. Operation Id: '4918a525df68776dd0a7063aaa6db6dd' (Code: NewerDataExists) Trying to redeploy multiple times to get other deployments to succeed does not help either. |
|
@rcegan @jusso-dev FYI, this issue is being investigated. |
|
@rcegan @jusso-dev @azurekid |
|
tagging related issue, raised by another user - #10481 |
Only verify that the parent Log Analytics workspace exists and then deploy the saved search. The deployment will fail with `ResourceNotFound` error code if the Log Analytics workspace does not exist. Updated `languageVersion` to 2.0 as `existing` declarations require it. Ref: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/resource-declaration#declare-existing-resources Relates: Azure#8623
|
The root cause of the issue is that each parser deployment script deploys the Log Analytics workspace before deploying the saved search. The conflict happens when tens of parser deployment ARM templates are trying to deploy the Log Analytics workspace at the same time. The current version of ASIM parser deployment could create a new Log Analytics workspace, which could be unwanted behavior. I would expect the ASIM parser deployment ARM template only to create parsers for the already existing Log Analytics workspace and not create another one if I, for example, type the workspace name wrong into the template. The issue does not relate to the existing versions of the ASIM parsers, as I have seen this issue occur when deploying the ASIM parsers for the first time to a given Log Analytics workspace. The error messages always refer to the workspace, which is constantly redeploying itself by the referenced ARM templates. Also, the referenced parser templates always seem to define I made an example commit on how the issue could be solved by only verifying the Log Analytics workspace exists by declaring the workspace as an existing resource: 0986d7f @vakohl, what do you think of this solution? Would you like me to implement it for the other parsers as well, or would you prefer to tackle the issue in-house? |
|
Any news on this? Here is when running the DNS asim by itself as an example: |
The deployment will fail with `ResourceNotFound` error code if the Log Analytics workspace does not exist. Relates: Azure#8623
|
I found a way to deploy the saved search without deploying the Log Analytics workspace and without using the Example: 5aa3b75 I will prepare the required changes for the parser ARM templates and create a PR. |
ASIM parser installation ARM templates should only install the saved search if the Log Analytics workspace already exists. Relates: Azure#8623
Describe the bug
Upon trying to deploy ASIM parsers via the 'Deploy to Azure' button and filling out the required parameters, a 'Conflict' error appears with the following error: (workspace, location and resource group have been omitted)
Upon giving it a different name, it creates a new LAW in the designated resource group.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The parsers should deploy into the targeted workspace and become available for query.
Screenshots
Desktop (please complete the following information):
Additional context
I have all required permissions to deploy this content.
The text was updated successfully, but these errors were encountered: