Troubleshooting

Configure additional logging for functions:

  1. Set EVENT_LEVEL environment variable on Protect function to Informational.
  2. Set PTY_LOG_LEVEL environment variable on both Protect function and Log Forwarder function to config.

Error

Detail


Unhandled exception. System.Exception: Failed to initialize 
function type,expecting environment variable 
'AzureWebJobs.AuditLogForwarder.Disabled' 
to be set to either 'true' or 'false'
  1. An environment variable ‘AzureWebJobs.AuditLogForwarder.Disabled’ is expected. This environment variable is added automatically when functions are deployed with ARM templates.
  2. Verify this environment variable exists and is set to ’true’ for Protect Service functions and is set to ‘false’ for Log Forwarder functions.

[2024/08/08 10:00:00] [error] [tls] error: unexpected EOF

Log Forwarder failed to verify ESA certificate

  1. If ESA is configured with self-signed certificate, verify that Log Forwarder ‘PTY_ESA_CA_SERVER_CERT’ is correctly set to ESA CA certificate string. Refer to Certificates on ESA for details.
  2. If ESA is configured with publicly signed certificate, ensure Log Forwarder ‘PTY_LOG_LEVEL’ is set to ‘all’ level, restart and re-test the Log Forwarder. Review the logs to see if your root CA is used. If not used, you may supply your public CA in Log forwarder configuration ‘PTY_ESA_CA_SERVER_CERT’.
  3. During initial non-production setup, SSL verification can be disabled by setting ‘PTY_ESA_DISABLE_TLS_CERT_VERIFY’ environment variable to ‘1’ or ’true’

Failed to aggregate audit logs, 1 audit logs dropped, error: 
The user, group or application 'appid=;oid=;iss=' does not have 
secrets get permission on key vault ';location='...
Status: 403 (Forbidden)
ErrorCode: Forbidden

Log Forwarder has no permissions to use Key Vault

  1. Verify Log Forwarder has access to the Key Vault.
  2. Consult section Update Function Key Vault Access Policies

TCP connection timed out: 001.001.001.001:9200

Log Forwarder failed to connect to ESA

  1. Ensure ESA is available on given IP address and 9200 port
  2. Consult section ESA Audit Store Configuration

fail: Protect.Aggregate[0] Failed to aggregate audit logs, 
1 audit logs dropped, error: Invalid URI: The format of the URI 
could not be determined. 
info: iap[0] Shared memory segment POLICY does not exist: The 
system cannot find the file specified.

Invalid Key Vault Uri format

  1. Ensure that environment variable KEY_VAULT_URI has correctly formatted url.
  2. Example 1: https://<keyvaultname>.vault.azure.net/
  3. Example 2: https://<keyvaultname>.vault.usgovcloudapi.net/

[Error] Azure-Messaging-EventHubs: An exception occurred while 
publishing a batch of events for buffered producer instance with 
identifier 'x' to Event Hub: audit-logs, Partition Id: '0', 
Operation Id: 'x'. Error Message: 'Unauthorized access.

Protect Service function failed to send messages to Event Hub

  1. Ensure Forwarder Function managed identity has ‘Azure Event Hubs Data Sender’ role assigned for the Event Hub resource.
  2. See Function User-Assigned Managed Identity and Function System-Assigned Managed Identity

Last modified : February 09, 2026