Skip to content
  • There are no suggestions because the search field is empty.

RSA NetWitness Health & Wellness status alarm LogCollector Event Processor Exchange Bindings Status will not clear

Issue

In the NetWitness UI, Admin > Health & Wellness, Alarms tab

There is an alarm for LogCollector Event Processor Exchange Bindings Status with a Value of "Unbounded Exchanges: netflow, windowslegacy" which will not clear.

Tasks

This NetWitness UI, Health & Wellness alarm indicates that the VLC rabbitmq-server has exchanges netflow and windowslegacy created but no bindings were found to a matching queue.

Possible cause could be, but not limited to, the VLC being mistakenly tagged as a Local Collector (LC) instead of a Remote Collector (RC), or the rabbitmq queue was removed but the exchange didn't get removed.

To clear this alarm, you need to delete the netflow and windowslegacy exchanges from the VLC rabbitmq-server.

One method is to access VLC rabbitmq-server web interface to delete an existing exchange.

Please refer to the article entitled  How to access the RabbitMQ Web UI on RSA Security Analytics appliances for how to access the rabbitmq-server web interface.

If you are unable to access the VLC rabbitmq-server web interface, this article provides a method to run the command directly on the VLC to delete the exchange without requiring access to the rabbitmq-server web interface.

Resolution

Perform below steps to delete the netflow and windowslegacy exchanges from the VLC using the rabbitmqadmin.py script.
  1. Connect to the VLC via SSH and navigate to the directory, /opt/netwitness/bin
    [root@VLC ~]# cd /opt/netwitness/bin
  2. Verify that the netflow and windowslegacy exchanges exist on the VLC using the rabbitmqadmin.py script.
    Sample output:
    [root@VLC ~]# ./rabbitmqadmin.py -s -P 15671 -V logcollection -H `grep id /etc/salt/minion |awk '{print $2}'` list exchanges
    +---------------+--------------------+---------+-------------+---------+----------+
    |     vhost     |        name        |  type   | auto_delete | durable | internal |
    +---------------+--------------------+---------+-------------+---------+----------+
    | logcollection |                    | direct  | False       | True    | False    |
    | logcollection | amq.direct         | direct  | False       | True    | False    |
    | logcollection | amq.fanout         | fanout  | False       | True    | False    |
    | logcollection | amq.headers        | headers | False       | True    | False    |
    | logcollection | amq.match          | headers | False       | True    | False    |
    | logcollection | amq.rabbitmq.trace | topic   | False       | True    | True     |
    | logcollection | amq.topic          | topic   | False       | True    | False    |
    | logcollection | checkpoint         | direct  | False       | True    | False    |
    | logcollection | cmdscript          | direct  | False       | True    | False    |
    | logcollection | file               | direct  | False       | True    | False    |
    | logcollection | netflow            | direct  | False       | True    | False    |
    | logcollection | odbc               | direct  | False       | True    | False    |
    | logcollection | rabbitmq.log       | direct  | False       | True    | False    |
    | logcollection | sdee               | direct  | False       | True    | False    |
    | logcollection | snmptrap           | direct  | False       | True    | False    |
    | logcollection | syslog             | direct  | False       | True    | False    |
    | logcollection | vmware             | direct  | False       | True    | False    |
    | logcollection | windows            | direct  | False       | True    | False    |
    | logcollection | windowslegacy      | direct  | False       | True    | False    |
    +---------------+--------------------+---------+-------------+---------+----------+
  3. Remove the netflow and windowslegacy exchanges.
    [root@VLC ~]# ./rabbitmqadmin.py -s -P 15671 -V logcollection -H `grep id /etc/salt/minion |awk '{print $2}'` delete exchange name=netflow
    ERROR:root:code for hash md5 was not found.
    Traceback (most recent call last):
      File "/usr/lib64/python2.7/hashlib.py", line 129, in <module>
        globals()[__func_name] = __get_hash(__func_name)
      File "/usr/lib64/python2.7/hashlib.py", line 98, in __get_openssl_constructor
        f(usedforsecurity=False)
    ValueError: error:3207A06D:lib(50):B_HASH_init:cr new
    exchange deleted
    [root@VLC ~]# ./rabbitmqadmin.py -s -P 15671 -V logcollection -H `grep id /etc/salt/minion |awk '{print $2}'` delete exchange name=windowslegacy
    ERROR:root:code for hash md5 was not found.
    Traceback (most recent call last):
      File "/usr/lib64/python2.7/hashlib.py", line 129, in <module>
        globals()[__func_name] = __get_hash(__func_name)
      File "/usr/lib64/python2.7/hashlib.py", line 98, in __get_openssl_constructor
        f(usedforsecurity=False)
    ValueError: error:3207A06D:lib(50):B_HASH_init:cr new
    exchange deleted
  4. Run the list exchanges command again to verify that no additional netflow and windowslegacy exchange entries are found.
    [root@VLC ~]# ./rabbitmqadmin.py -s -P 15671 -V logcollection -H `grep id /etc/salt/minion |awk '{print $2}'` list exchanges
    +---------------+--------------------+---------+-------------+---------+----------+
    |     vhost     |        name        |  type   | auto_delete | durable | internal |
    +---------------+--------------------+---------+-------------+---------+----------+
    | logcollection |                    | direct  | False       | True    | False    |
    | logcollection | amq.direct         | direct  | False       | True    | False    |
    | logcollection | amq.fanout         | fanout  | False       | True    | False    |
    | logcollection | amq.headers        | headers | False       | True    | False    |
    | logcollection | amq.match          | headers | False       | True    | False    |
    | logcollection | amq.rabbitmq.trace | topic   | False       | True    | True     |
    | logcollection | amq.topic          | topic   | False       | True    | False    |
    | logcollection | checkpoint         | direct  | False       | True    | False    |
    | logcollection | cmdscript          | direct  | False       | True    | False    |
    | logcollection | file               | direct  | False       | True    | False    |
    | logcollection | odbc               | direct  | False       | True    | False    |
    | logcollection | rabbitmq.log       | direct  | False       | True    | False    |
    | logcollection | sdee               | direct  | False       | True    | False    |
    | logcollection | snmptrap           | direct  | False       | True    | False    |
    | logcollection | syslog             | direct  | False       | True    | False    |
    | logcollection | vmware             | direct  | False       | True    | False    |
    | logcollection | windows            | direct  | False       | True    | False    |
    +---------------+--------------------+---------+-------------+---------+----------+
  5. Confirm after 15 minutes that the NetWitness UI, Admin > Health & Wellness alarm for LogCollector Event Processor Exchange Bindings Status has "CLEARED". User-added

Notes

  • Make sure this Health & Wellness alarm is from a VLC.
  • This method can also apply to other collection exchanges that do not have any bindings.  Simply change the exchange name in the delete command.
     
    For example, to delete the syslog exchange you would issue the command below.
    ./rabbitmqadmin.py -s -P 15671 -V logcollection -H `grep id /etc/salt/minion |awk '{print $2}'` delete exchange name=syslog

Product Details

RSA Product Set: NetWitness Platform, Security Analytics
RSA Product/Service Type: User Interface, Security Analytics Server, Log Collector
RSA Version/Condition: 10.6.x, 11.x

Summary

There is a persistent Health & Wellness status alarm LogCollector Event Processor Exchange Bindings Status.


Approval Reviewer Queue

RSA NetWitness Suite Approval Queue