Skip to content
  • There are no suggestions because the search field is empty.

At least one VLC queue exists that does not have any consumers in RSA Security Analytics

Issue

At least one VLC queue exists that does not have any consumers in RSA Security Analytics.

In /var/log/messages on the VLC, an error similar to the following is displayed:

Aug  4 22:20:51 NWAPPLIANCE32722 nw[1434]: [MessageBroker] [warning] warning 2014-08-04T15.20.51Z At least one queue exists that does not have any consumers.  This condition may arise because the Log Collector is not currently running or parts of the system have been shut down.  In some cases this condition may arise becau

The message is truncated in /var/log/message. To obtain the full message, perform the following steps:

  1. In the Security Analytics UI, navigate to Administration -> Devices, select the VLC device, and click on View -> Logs.
  2. On the Historical tab, enter keywords "at least" and click Search.

The full message will be displayed, as shown below.

Warning 2014-08-05T09.00.51Z At least one queue exists that does not have any consumers. This condition may arise because the Log Collector is not currently running or parts of the system have been shut down. In some cases this condition may arise because a queue consumer (such as an event processor or VLC connection) was removed outside of the normal course of operation. The queue names that have no consumers are are: "shovel.sdee.Untitled", "shovel.file.Untitled", "shovel.syslog.Untitled", "shovel.checkpoint.Untitled", "shovel.windows.Untitled", "shovel.vmware.Untitled", "shovel.windowslegacy.Untitled", "shovel.snmptrap.Untitled", "shovel.odbc.Untitled". Make sure that the Log Collector process is running and that all event processors are in the running state. If this warning message persists and you are certain there are no legitimate consumers of these queues, you may delete them via the 'delete' property on the '/event-broker' node. Supply the queue name to delete...."


Cause

This issue occurs because when deleting a destination group in VLC -> Local Collector, it doesn't delete the queues.  It may also occur because the Log Collector is not currently running or parts of the system have been shut down.


Resolution

To delete the 'orphaned' queues listed in the error message:

  1. In Security Analytics UI, Navigate to Administration -> Devices, select the VLC device, and click on View -> Explore.
  2. Expand event-broker -> Stats -> Queues.
  3. Click on each of the queues listed in the error message (See the note below).
  4. Check and ensure that "active consumer" is zero (0).
  5. Right-click on Event-Broker and select Properties.
  6. From the drop-down box on properties window, select Delete.
  7. In Parameters, enter: queue="shovel.collection type.name" (seen in the error message) and click Send.
  8. ResponseOutput will show "Success".

Notes

When viewing the queues in event-broker -> Stats -> Queues, the queue naming convention is: shovel_collection type_name. But when deleting, the naming convention must be (shovel.collection type.name), which is the same as seen on the error message.


Product Details

RSA Product Set: RSA Security Analytics
RSA Product/Service Type: Virtual Log Collector
RabbitMQ Message Broker
RSA Version/Condition: 10.6

Approval Reviewer Queue

KCS Approval queue