No replay on error from Search-UnifiedAuditLog in Get-UAL*

Question

No replay on error from Search-UnifiedAuditLog in Get-UAL*

Closed this issue a year ago · 4 comments

Hi!

If an error occurs in Search-UnifiedAuditLog (which seems to happen from time to time), there is no try / catch replay in Get-UAL* cmdlets, resulting in the records from the timeframe to be skipped.

For example:

Answer 1 · 2023-06-23T13:52:16.000Z

Hi Qazeer, thanks for opening this issue.
Well an error like this a disconnect is really hard for us to build a check/fix for I'd say since PowerShell is throwing the error which happens outside the script/modules we built. We've had this happen in the past and this is one of the reasons where we use the Audit Log function for. This log will automatically be created and allows you to continue where you left using the time parameters. However, if you have a suggestion on how we could build a fix in, we're happy to give it a try or you can submit a PR.

Answer 2 · 2023-06-23T23:06:47.000Z

May be a try catch like the one below would allow to replay the search on error?

[Array]$results = $null
$replayCounter = 0
while (($null -eq $results) -and ($replayCounter -lt 3)) {
   try {
       $results = Search-UnifiedAuditLog -ErrorAction Stop # [...]
   }
   catch {
       $replayCounter = $replayCounter + 1
   }
}

To avoid duplicating this snippet on every Search-UnifiedAuditLog call, a wrapper could be used instead.

~~I can't test if this would fix the issue right now, but will give it a try tomorrow.~~ It seems to help, but the connectivity problem is hard to replicate, so would need more testing to confirm.

Answer 3 · 2023-06-26T13:17:56.000Z

Hi Qazeer thank you for providing the feedback and testing. We've discussed it internally and we believe that it's best to rely on the PowerShell generated errors to determine what went wrong when running the script. We do not want to build in all kinds of our own error handling when PowerShell will tell you what went wrong. Especially disconnects like this if they happen we rather have you re-run the script for data integrity and completion.

We believe that the current built-in checks are sufficient.

Connect check to make sure you're connected and have the right permissions
Retry check when the Search-UnifiedAuditLog doesn't return results when it should based on the ResultCount
Date/time check to see if you actually can acquire the data

If you prefer to have other checks feel free to implement them in your own scripts, that's the beauty of open-source.

Thanks again for reaching out an using our tool, we appreciate it.

Answer 4 · 2023-06-26T20:30:40.000Z

Hey!

I do understand the design choice, as it indeed complexify the code. Just a note however on the check for Search-UnifiedAuditLog not returning results, I think it is currently not working as intended (and thus why I had the error initially).

If we are talking about this one:

$retryCount is not defined, and thus the continue statement is never reached.

Did a grep in refreslhy cloned repo to make sure: