.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
The Security Analytics log decoder is failing to consume logs from the local log collector, even though the Event Source is configured correctly.The /var/log/messages file reports an error similar to the following:
Nov 20 16:03:30 SALOGDECODER nw[23209]: [BufferedChannel]
[failure] An error occurred publishing to an AMQP channel: NO_ROUTE, exchange:checkpoint, routing key: checkpoint
Cause
This error indicates a disconnect between the log collector and the log decoder service. If both services reside on the same appliance, it is likely that the log collector was inadvertently configured as a remote collector instead of a local collector.
Resolution
In order to resolve the issue, perform the following steps:- In the Security Analytics UI, navigate to Administration > Services.
- Select the Log Collector service and click on the Edit button.
- In the Options section, confirm that the Remote box is unchecked.
- Click on the Test Connection button to ensure that the connection is successful.
- Click on the Save button.
If the issue persists after making the change above, contact RSA Support and quote this article number for further assistance.
Notes
In order to verify that the events are being collected properly after the change above, follow the steps below.- In the Security Analytics UI, navigate to Administration > Services.
- Select the Log Collector service, click the Action button on the far right side, and select View > Config.
- Click on the Event Sources tab.
- In the Event Categories section, select the appropriate event source.
- In the Sources section that populates, select the appropriate source and click the Edit button.
- In the Edit Source box, expand the Advanced section and set Debug to on.
- Click OK.
- In the black menu bar at the top of the screen, click Config and select Logs to change to the log viewer for the Log Collector.
If the events are being collected properly, logs similar to the following will be displayed:
Nov 20 16:15:41 SALOGDECODER nw[23209]: [CheckpointCollection] [info] [checkpoint.Checkpoint1] [processing] [WorkUnit] [processing] checkpoint.domain.com:10.1.1.2:Session End:Event count reached(15000)
Nov 20 16:15:41 SALOGDECODER nw[23209]: [CheckpointCollection] [info] [checkpoint.Checkpoint1] [processing] [WorkUnit] [processing] checkpoint.domain.com:10.1.1.2:Session exit reason: The session was ended by the application
Nov 20 16:15:41 SALOGDECODER nw[23209]: [CheckpointCollection] [info] [checkpoint.Checkpoint1] [processing] [WorkUnit] [processing] checkpoint.domain.com:10.1.1.2:Session completed: Total Time(00:00:05.022204) Total Events(15000)
Nov 20 16:15:41 SALOGDECODER nw[23209]: [CheckpointCollection] [info] [checkpoint.Checkpoint1] [processing] [WorkUnit] [processing] checkpoint.domain.com:10.1.1.2:Session exit reason: The session was ended by the application
Nov 20 16:15:41 SALOGDECODER nw[23209]: [CheckpointCollection] [info] [checkpoint.Checkpoint1] [processing] [WorkUnit] [processing] checkpoint.domain.com:10.1.1.2:Session completed: Total Time(00:00:05.022204) Total Events(15000)
Product Details
RSA Product Set: Security AnalyticsRSA Product/Service Type: Log Collector, Security Analytics UI
RSA Version/Condition: 10.4.x
O/S Version: CentOS 6
Summary
The log decoder is unable to consume logs from the local log collector, and NO_ROUTE errors are observed.
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue