RSA NetWitness VLC a rabbitmq queue exists that does not have any consumers

Issue

At least one rabbitmq queue on the VLC doesn't have any consumers in RSA NetWitness.

In /var/log/messages on the VLC, an error similar to the following is displayed:

Aug  4 22:20:51 NWAPPLIANCE32722 nw[1434]: [MessageBroker] [warning] warning 2014-08-04T15.20.51Z At least one queue exists that does not have any consumers.  This condition may arise because the Log Collector is not currently running or parts of the system have been shut down.  In some cases this condition may arise becau

The message is truncated in /var/log/message. To obtain the full message, perform the following steps:

1. In the NetWitness UI, navigate to Admin > Devices, select the VLC device, and click on View > Logs.
2. On the Historical tab, enter keywords "at least" and click Search.

The full message will be displayed, as shown below.

Warning 2014-08-05T09.00.51Z At least one queue exists that does not have any consumers. This condition may arise because the Log Collector is not currently running or parts of the system have been shut down. In some cases this condition may arise because a queue consumer (such as an event processor or VLC connection) was removed outside of the normal course of operation. The queue names that have no consumers are are: "shovel.sdee.Q2LC", "shovel.file.Q2LC", "shovel.syslog.Q2LC", "shovel.checkpoint.Q2LC", "shovel.windows.Q2LC", "shovel.vmware.Q2LC", "shovel.windowslegacy.Q2LC", "shovel.snmptrap.Q2LC", "shovel.odbc.Q2LC". Make sure that the Log Collector process is running and that all event processors are in the running state. If this warning message persists and you are certain there are no legitimate consumers of these queues, you may delete them via the 'delete' property on the '/event-broker' node. Supply the queue name to delete...."

Cause

This issue can occur when:

• Deleting a Destination Groups entry in NW UI, Admin > Services > {VLC} > Config, Local Collectors tab, doesn't delete the rabbitmq queues.
• Changing the Destination Groups entry to another name doesn't remove the old queues.
• The Log Collector (LC) is not currently running or communication between the LC and VLC is not working.

This leaves some rabbitmq queues on the VLC orphaned without any consumers.

Resolution

Get a list of the names of the 'orphaned' rabbitmq queues from the VLC

On the VLC device run the following command.

rabbitmqctl list_queues -p logcollection consumers name messages

Look for those queue names without an consumers.

For example: Where,
First column is the consumers count.
Second column is the rabbitmq queue name, in the format shovel.collection_type.name like, shovel.windowslegacy.Q2LC
Third column is the count of logs remaining in the queue.
 

Delete the 'orphaned' queues via the NetWitness UI

1. In NetWitness UI, navigate to Admin > Devices, select the VLC device, and click on View > Explore
2. Right-click on event-broker and select Properties
3. From the drop-down box on /event-broker properties window, select delete
4. In Parameters, enter: queue="shovel.collection_type.name" (seen in the error message, or from the above output) and click Send.
5. ResponseOutput will show "Success".

 

Or Delete the 'orphaned' queues from the command line

Run the following command to delete the rabbitmq queue.
Substitute the shovel.collection_type.name with the rabbitmq queue name in the error message, or from the above output.

For example:
Run the following command and confirm the queue is now deleted.

Notes

Any rabbitmq queue which has any outstanding logs which is deleted will also delete those logs.

From the above example those queues are:

Product Details

RSA Product Set: NetWitness Platform
RSA Product/Service Type: Virtual Log Collector (VLC), RabbitMQ Message Broker
RSA Version/Condition: 10.6, 11.x
Platform: CentOS

Summary

A rabbitmq queue on a NetWitness VLC doesn't have any consumer.

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue