NetWitness Community

AtulChavan · ‎2017-09-22

Hi Team,

There are few Windows servers which are not reporting to SIEM suddenly. However, I am able to see logs from these server on putty (tail f /var/log/messages | grep hostname) and in Historical tab (Administration/LogCollector/Logs/Historical).

I have restarted all hybrid services (collector, decoder, concentrator). Request you to assist us to solve this issue.

SravanKoneti1 · ‎2017-09-26

Hi Atul,

Please check if any stale queues in collector using below command

rabbitmqctl list_queues -p logcollection consumers name messages

VivekDayal · ‎2017-09-27

Hi Sravan,

I have run this command on collector. PFB the output.

/usr/lib/rabbitmq/bin/rabbitmqctl: line 29: exec: erl: not found

Moreover we are running ver 10.2.

Is there any other way to find stale queues?

Please suggest troubleshooting steps to resolve this issue.

SravanKoneti1 · ‎2017-09-27

Hi Vivek,

Thanks for output. Looks like you are using very old version of SA. Please check using GUI with below steps.

1. In Security Analytics UI, Navigate to Administration -> Devices, select the VLC/Collector device, and click on View -> Explore.

2. Expand event-broker -> Stats -> Queues.

3. Click on each of the queues listed in the error message (See the note below).

4. Check and ensure that "active consumer" is zero (0).

If active consumer=0, thats stale queue. Then you will have two options.

- Draining the backlog messages and re-injecting them again.(Please contact support for detailed instructions. this process may not work as expected, if your SA version <10.4 )

- Deleting the stale queues https://community.rsa.com/docs/DOC-47125 ( This process deals with purging the backlog messages)

NetWitness Community

Not Reporting Windows Devices