NetWitness Community

Brian ,

Please find my comments:

1.What version are you on? - 10.5

2. Do you see anything in the configuration of the log collector to it's local collector? - Yes

3. If you hover over the indicator does it show it's up and connected? yeah i can see shovel is running

Hello

You can get this unknown ca messages, if you have a Virtual Log Collector / Remote Log Collector that is managed by another Security Analytics Server , but is sending messages to your VLC.

If you look in the /var/log/rabbitmq/sa@localhost.log<mailto:/var/log/rabbitmq/sa@localhost.log> you should be able to determine which IP is sending these messages. Once you have the IP you can then identify the device that is sending the messages.

Thanks dave ,

I could see some errors in  var/log/rabbitmq/sa@localhost.log

=ERROR REPORT==== 13-Oct-2016::13:05:30 ===
SSL: certify: ssl_handshake.erl:1341:Fatal error: unknown ca

=ERROR REPORT==== 13-Oct-2016::13:05:33 ===
closing AMQP connection <0.30461.22> (IP1:44478 -> IP2:5671):
{handshake_error,starting,0,
                 {amqp_error,access_refused,
                             "EXTERNAL login refused: user 'fe635347-3d5d-44fd-b9d4-b833d95e7caa' - invalid credentials",
                             'connection.start_ok'}}

=ERROR REPORT==== 13-Oct-2016::13:05:35 ===
Error on AMQP connection <0.30449.22>:
{ssl_upgrade_error,{tls_alert,"unknown ca"}}

Okay the next step is to identify what IP1 is in the above.

The fe635347-3d5d-44fd-b9d4-b833d95e7caais also the UUID of a VLC that is trying to login. Looks like there may have been a provisioning problem potentially.

If this device should be sending logs to this log collector, then I would recommend opening a support ticket for further investigation and so we can provide more suitable remediation steps.

I've already raised a support case and RSA Team is inverstigating further.

Thanks Dave for your valuable reverts.

I’m having the exact same issue, was there a successful outcome to this?