.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Health & Wellness status alarm LogCollector Event Processor Exchange Bindings will not clear in RSA Security Analytics
Issue
Health & Wellness Alarm - LogCollector Event Processor Exchange Bindings with a value of “Unbounded Exchanges: windowslegacy” will not clear.Tasks
This alarm indicates that the VLC rabbitmq-server has an exchange windowslegacy created but no bindings were found.Possible cause could be, but not limited to, the VLC being mistakenly tagged as a Local Collector (LC) instead of a Remote Collector (RC).
To clear this alarm you need to delete this windowslegacy exchange from the VLC rabbitmq-server.
One method is to access VLC rabbitmq-server web interface to delete an existing exchange. Please refer to the article entitled How to access the RabbitMQ Web UI on RSA Security Analytics appliances for how to access the rabbitmq-server web interface.
If you are unable to access the VLC rabbitmq-server web interface, this article provides a method to run the command directly on the VLC to delete the exchange without requiring access to the rabbitmq-server web interface.
Resolution
Perform below steps to delete the windowslegacy exchange from the VLC using the rabbitmqadmin.py script.- Connect to the VLC via SSH and navigate to the /opt/netwitness/bin directory.
#cd /opt/netwitness/bin
- Verify that the windowslegacy exchangeexists on the VLC using the rabbitmqadmin.py script.
#./rabbitmqadmin.py -P 15671 -s -V logcollection list exchanges
Sample output:
+---------------+--------------------+---------+-------------+---------+----------+
| vhost | name | type | auto_delete | durable | internal |
+---------------+--------------------+---------+-------------+---------+----------+
| logcollection | | direct | False | True | False |
| logcollection | amq.direct | direct | False | True | False |
| logcollection | amq.fanout | fanout | False | True | False |
| logcollection | amq.headers | headers | False | True | False |
| logcollection | amq.match | headers | False | True | False |
| logcollection | amq.rabbitmq.trace | topic | False | True | True |
| logcollection | amq.topic | topic | False | True | False |
| logcollection | checkpoint | direct | False | True | False |
| logcollection | cmdscript | direct | False | True | False |
| logcollection | file | direct | False | True | False |
| logcollection | netflow | direct | False | True | False |
| logcollection | odbc | direct | False | True | False |
| logcollection | rabbitmq.log | direct | False | True | False |
| logcollection | sdee | direct | False | True | False |
| logcollection | snmptrap | direct | False | True | False |
| logcollection | syslog | direct | False | True | False |
| logcollection | vmware | direct | False | True | False |
| logcollection | windows | direct | False | True | False |
| logcollection | windowslegacy | direct | False | True | False |
+---------------+--------------------+---------+-------------+---------+----------+ - Remove the windowslegacy exchange using the script.
#./rabbitmqadmin.py -P 15671 -s -V logcollection delete exchange name=windowslegacy
- Run the list exchanges command again to verify that no additional windowslegacy exchange entries are found.
#./rabbitmqadmin.py -P 15671 -s -V logcollection list exchanges
+---------------+--------------------+---------+-------------+---------+----------+
| vhost | name | type | auto_delete | durable | internal |
+---------------+--------------------+---------+-------------+---------+----------+
| logcollection | | direct | False | True | False |
| logcollection | amq.direct | direct | False | True | False |
| logcollection | amq.fanout | fanout | False | True | False |
| logcollection | amq.headers | headers | False | True | False |
| logcollection | amq.match | headers | False | True | False |
| logcollection | amq.rabbitmq.trace | topic | False | True | True |
| logcollection | amq.topic | topic | False | True | False |
| logcollection | checkpoint | direct | False | True | False |
| logcollection | cmdscript | direct | False | True | False |
| logcollection | file | direct | False | True | False |
| logcollection | netflow | direct | False | True | False |
| logcollection | odbc | direct | False | True | False |
| logcollection | rabbitmq.log | direct | False | True | False |
| logcollection | sdee | direct | False | True | False |
| logcollection | snmptrap | direct | False | True | False |
| logcollection | syslog | direct | False | True | False |
| logcollection | vmware | direct | False | True | False |
| logcollection | windows | direct | False | True | False |
+---------------+--------------------+---------+-------------+---------+----------+
Notes
- Make sure this alarm is from a VLC.
- This method can also apply to other collection exchanges that do not have any bindings. Simply change the exchange name in the delete command.
For example, to delete the syslog exchange you would issue the command below../rabbitmqadmin.py -P 15671 -s -V logcollection delete exchange name=syslog
Product Details
RSA Product Set: NetWitness Logs & Network, Security AnalyticsRSA Product/Service Type: User Interface, Security Analytics Server, Log Collector
RSA Version/Condition: 10.6.3.x, 10.6.4.x
Approval Reviewer Queue
KCS Approval queue