RSA Security Analytics Legacy Windows Collector stopped collecting events after updating it to 10.6.

Issue

After successfully updating 10.5.x Windows Legacy Collector to 10.6, it stopped collecting events.
%systemDrive%\Program Files\NwLogCollector\installlog.txt shows the install was complete.

However, the following errors are seen in %systemDrive%\Netwitness\ng\logcollector\MessageBroker.log.

 C:\Program Files\erl5.10.4\erts-5.10.4\bin\erlsrv: The service RabbitMQ is not an erlsrv controlled service.
 
C:\Program Files\erl5.10.4\erts-5.10.4\bin\erlsrv: Unable to remove service (not enough privileges?)
 
Error: The specified service has been marked for deletion.
 
C:\Program Files\erl5.10.4\erts-5.10.4\bin\erlsrv: Unable to register service with service manager.
 
Error: The specified service has been marked for deletion.
 
C:\Program Files\erl5.10.4\erts-5.10.4\bin\erlsrv: No service with the name RabbitMQ exists.
 
C:\Program Files\erl5.10.4\erts-5.10.4\bin\erlsrv: The service RabbitMQ is not an erlsrv controlled service.

The RabbitMQ service is missing from Services (services.msc).

Cause

The issue can occur when the RabbitMQ service is removed from Services during the upgrade process.

Resolution

Please follow the steps below to resolve the issue.

1. Create the RabbitMQ service manually.

 sc create RabbitMQ binpath= "\"C:\Program Files\erl5.10.4\erts-5.10.4\bin\erlsrv.exe\""

2. Reinstall the legacy collector by running SALegacyWindowsCollector-10.6. .exe . Select the Repair option when prompted.

3. (optional) Reboot the Windows system as recommended although the collector may work without a reboot.

Product Details

RSA Product Set: Security Analytics
RSA Product/Service Type: Windows Legacy Collector
RSA Version/Condition: 10.6.0.0
Platform: Windows
O/S Version: Windows 2008 R2 SP1 64-Bit

Approval Reviewer Queue

ASOC Approval Group