Unhandled exception error after drive filled RRS feed

  • Question

  • Our Log Integration Server C:\\ drive filled up. After cleanup the server by removing older azlog files it was restarted.  Now when attempting to run any 'azlog' commands as administrator, the following exception is thrown:
    Unhandled Exception: System.NullReferenceException: Object reference not set to an instance of an object.
       at AZLOG.Config.ServiceState.Load() in E:\\bt\\810407\\repo\\src\\AZSIEMExport\\AZSIEM\\AZSIEMDll\\Config.cs:line 61
       at AZLOG.Program.RealMain(String[] args, Boolean& runTrackPageView) in E:\\bt\\810407\\repo\\src\\AZSIEMExport\\AZSIEM\\AZSIEM\\AZLOG.cs:line 282
       at AZLOG.Program.Main(String[] args) in E:\\bt\\810407\\repo\\src\\AZSIEMExport\\AZSIEM\\AZSIEM\\AZLOG.cs:line 222
    I also noticed the C:\\Users\\azlog\\azlog.10.config.ServiceState file is empty
    As a result our Active Directory, Resource Center, and Security Center logs are not being written to C: directories and getting into Splunk.
    Please advise on how to get this back up and running asap.
    Tuesday, April 2, 2019 11:42 PM

All replies

  • Hello romsdn, Please note that Log Integration service will be deprecated by 6/1/2019. Please visit here to review suggested replacement for Log integration

    First off, can you elaborate on the specific steps you took to perform the "cleanup"? Did you perform a hard delete or did you simply move the logs to another drive or repository? Also was the cleanup performed on one or multiple Log integration servers or is this an isolated incident? If multiple, are you experiencing the same issues on your other servers. If you deleted, then you may have inadvertently deleted some critical service state files. You may want to consider rolling back the cleanup assuming it wasn't a permanent deletion and see if that resolves your issue. You may also want to move the log location to a non-OS drive to prevent future occurrence - if possible.

    If this is a service-impacting incident, then I strongly recommend engaging the Azure technical support team to deep dive further. You can engage them using these steps. If you do not have a support plan, send mail to AzCommunity@microsoft.com, include your subscription ID and a link to this MSDN thread for context and we will gladly assist you with engaging support.

    Hope this helps.


    • Proposed as answer by Femisulu-MSFT Friday, April 5, 2019 7:00 AM
    Friday, April 5, 2019 6:56 AM