Skip to content
  • There are no suggestions because the search field is empty.

Unable to configure a Virtual Log Collector (VLC) to push logs to a Local Collector on NetWitness

Issue

Observe that when configuring a Virtual Log Collector to push logs to a Local Collector,  the error "Shovel Failed" is thrown in the UI and  the added Local Collector will be in a red status:

User-added  

The /var/log/messages file on the Virtual Log Collector displays the following errors:
Jan 19 17:01:18 vlc nw[8407]: [MessageBroker] [failure] error 2015-01-19T17.01.18Z closing AMQP connection <0.7502.0> (127.0.0.1:51240 -> 127.0.0.1:5671):{handshake_error,opening,0,                 {amqp_error,access_refused,                             "access to vhost 'logcollection' refused for user '669e89b0-64db-4b4f-93d3-da7b62f20fed'",                             'connection.open'}}
Jan 19 17:01:18 vlc nw[8407]: [MessageBroker] [warning] warning 2015-01-19T17.01.18Z Shovel failed to connect to Host: "127.0.0.1" Port: 5671 VirtualHost: <<"logcollection">>: error:{badmatch,                                                                                                  {error,                                                                                                   access_refused}}

Jan 19 17:01:18 vlc nw[8407]: [MessageBroker] [warning] warning 2015-01-19T17.01.18Z Shovel failed to connect to Host: "127.0.0.1" Port: undefined VirtualHost: <<"logcollection">>: error:{badmatch,                                                                                                       {error,                                                                                                        {tls_alert,                                                                                                         "unknown ca"}}}

Jan 20 10:03:28 vlc nw[8407]: [MessageBroker] [failure] error 2015-01-20T10.03.28Z nw_shovel_worker:init failed: no_endpoints! Retrying in 30 seconds.
Jan 20 10:03:33 vlc nw[8407]: [MessageBroker] [failure] error 2015-01-20T10.03.33Z error on AMQP connection <0.8620.26>:{ssl_upgrade_error,{tls_alert,"unknown ca"}}
Jan 20 10:03:33 vlc nw[8407]: [MessageBroker] [failure] error 2015-01-20T10.03.33Z error on AMQP connection <0.8645.26>:{ssl_upgrade_error,{tls_alert,"unknown ca"}}
Jan 20 10:03:33 vlc nw[8407]: [MessageBroker] [failure] error 2015-01-20T10.03.33Z error on AMQP connection <0.8653.26>:{ssl_upgrade_error,{tls_alert,"unknown ca"}}
Jan 20 10:03:33 vlc nw[8407]: [MessageBroker] [failure] error 2015-01-20T10.03.33Z error on AMQP connection <0.8649.26>:{ssl_upgrade_error,{tls_alert,"unknown ca"}}
Jan 20 10:03:33 vlc nw[8407]: [MessageBroker] [failure] error 2015-01-20T10.03.33Z error on AMQP connection <0.8657.26>:{ssl_upgrade_error,{tls_alert,"unknown ca"}}
Jan 20 10:03:33 vlc nw[8407]: [MessageBroker] [failure] error 2015-01-20T10.03.33Z error on AMQP connection <0.8661.26>:{ssl_upgrade_error,{tls_alert,"unknown ca"}}
Jan 20 10:03:33 vlc nw[8407]: [MessageBroker] [failure] error 2015-01-20T10.03.33Z error on AMQP connection <0.8665.26>:{ssl_upgrade_error,{tls_alert,"unknown ca"}}
Jan 20 10:03:33 vlc nw[8407]: [MessageBroker] [failure] error 2015-01-20T10.03.33Z error on AMQP connection <0.8669.26>:{ssl_upgrade_error,{tls_alert,"unknown ca"}}
Jan 20 10:03:33 vlc nw[8407]: [MessageBroker] [failure] error 2015-01-20T10.03.33Z error on AMQP connection <0.8673.26>:{ssl_upgrade_error,{tls_alert,"unknown ca"}}


Further investigation shows that If the Local Collector service has been configured to use the loopback interface address (127.0.0.1) instead of the local physical IP address (eg. 192.168.1.100) in the SA UI appliance view, this problem will occur.



Resolution

The workaround is to configure all the AIO services (included the log collector) to use the physical IP address instead of the loopback IP except for the Reporting Engine.
(For more information, refer to the related page in the Change Host Network Configuration.)

Observe these screenshots:

User-added

User-added





Notes

A similar issue may occur on a Windows Legacy Collector.
For more information, refer to the knowledgebase article  Unable to receive logs when configuring a Windows Legacy Collector to push logs to a Local Collector on a All-In-One appliance.

Internal Comments

Marco Meli -- 1/20/2015
Should have probably created this as a "Break Fix" instead of "How To". I was not able to correct this. Is it possible to do it?
I was unable to link the KB to the article 000029448. The article cannot be found. 

Jeff Shurtliff -- 1/28/2015
Unfortunately once the article type is selected it cannot be changed.  But I was able to link the article for you.  It was probably not yet published when you tried to link it.

Product Details

RSA Product Set: NetWitness Platform
SA Product/Service Type: Log Collector, Virtual Log Collector (VLC) 
RSA Version/Condition: 10.x, 11.x, 12.x
Platform: CentOS, AlmaLinux
O/S Version: EL6

Approval Reviewer Queue

Technical approval queue