NetWitness Community

Anonymous · ‎2014-09-08

Hi all,

Im facing with VLC issue which after added in SA, it continuesly showed error- /var/log/messages

Sep 8 10:25:20 vlc-remote nw[2414]: [AMQPClientBase] [failure] An error occurred creating an AMQP channel: Error in opening SSL/TLS connection for socket

Sep 8 10:25:20 vlc-remote nw[2414]: [MessageBrokerLogReceiver] [warning] Unable to start AMQP Log Receiver: Error in opening SSL/TLS connection for socket

Sep 8 10:25:20 vlc-remote nw[2414]: [EventBroker] [failure] failure in updating statistics for: No such node (stats)

Sep 8 10:25:21 vlc-remote nw[2414]: [MessageBrokerStats] [failure] Message-Broker Statistics: failed to get statistics /api/queues

Sep 8 10:25:21 vlc-remote nw[2414]: [MessageBrokerStats] [failure] Message-Broker Statistics: failed to get statistics /api/shovels

Sep 8 10:25:21 vlc-remote nw[2414]: [MessageBrokerStats] [failure] Message-Broker Statistics: failed to get statistics /api/nodes

Sep 8 10:25:21 vlc-remote nw[2414]: [MessageBrokerStats] [failure] Message-Broker Statistics: failed to get statistics /api/connections

Sep 8 10:25:21 vlc-remote nw[2414]: [EventBroker] [failure] failure in updating statistics for: No such node (stats)

Sep 8 10:25:22 vlc-remote nw[2414]: [EventBroker] [failure] failure in updating statistics for: No such node (stats)

Sep 8 10:25:23 vlc-remote nw[2414]: [EventBroker] [failure] failure in updating statistics for: No such node (stats)

and from logcollector\@localhost.log :

=ERROR REPORT==== 8-Sep-2014::07:43:21 ===

application: mochiweb

"Accept failed error"

"{error,ekeyfile}"

=ERROR REPORT==== 8-Sep-2014::07:43:21 ===

SSL: 1112: error:[] /etc/netwitness/ng/rabbitmq/ssl/keys/privkey.pem

[{ssl_connection,init_private_key,5},

{ssl_connection,ssl_init,2},

{ssl_connection,init,1},

{gen_fsm,init_it,6},

{proc_lib,init_p_do_apply,3}]

=ERROR REPORT==== 8-Sep-2014::07:43:21 ===

application: mochiweb

"Accept failed error"

"{error,ekeyfile}"

=ERROR REPORT==== 8-Sep-2014::07:43:21 ===

{mochiweb_socket_server,297,{acceptor_error,{error,accept_failed}}}

=ERROR REPORT==== 8-Sep-2014::07:43:21 ===

{mochiweb_socket_server,297,{acceptor_error,{error,accept_failed}}}

=ERROR REPORT==== 8-Sep-2014::07:43:21 ===

{mochiweb_socket_server,297,{acceptor_error,{error,accept_failed}}}

=ERROR REPORT==== 8-Sep-2014::07:43:21 ===

error on AMQP connection <0.5490.0>: {ssl_upgrade_error,ekeyfile}

(END)

My VLC is a for lab testing. I installed using sainstall-10.2.1.1893-44-usb.iso the rpm package provided, RSA_Security_Analytics_Log_Collector_10.0.5.2.zip and upgrade version 10.3.3 SA-LC.zip.

After installed, VLC can be added in SA perfectly but it showing the error above.

I can see log that certificate added to VLC

Sep 5 15:34:44 vlc-remote nw[5573]: [EventBroker] [info] The certificate 14c0407343b3a1f71a06e19dd9cd02ce was added.

Sep 5 15:34:49 vlc-remote nw[5573]: [MessageBroker] [info] info 2014-09-05T07.34.46Z Certificate at "/etc/netwitness/ng/rabbitmq/ssl/keys/cacert.pem" will expire on 2015:07:21T07:29:15 (in 318 days, 15 hours, 54 minutes, and 29 seconds)

I tried configure pull and push but still error log generated.

1-Is there an OVA version for latest VLC? so i no need to install 10.0xx version?

2-How to generate the cert without reinstalling the package?

3-Any idea how to solve my issue ?

thank you

LeeKirkpatrick · ‎2014-09-08

You can regenerate the certificate by performing the following:

Administration --> Devices --> Select Log Collector --> Explore --> event-broker --> ssl --> (Right-Click) Properties --> (from drop down) rekey

Anonymous · ‎2014-09-08

Hi Lee,

The key regenerated, unfortunately the error log still showing up. I also try reset eventbroker but still the same.

I doubt if this due to installation.

Sep 8 19:21:46 vlc-remote init: rabbitmq main process (1896) killed by TERM signal

Sep 8 19:21:46 vlc-remote nw[1102]: [Engine] [info] Child process 2824 sent signal code: exited, child exit code: 0

Sep 8 19:21:46 vlc-remote nw[1102]: [Engine] [info] Child process 2825 sent signal code: exited, child exit code: 0

Sep 8 19:21:46 vlc-remote nw[1102]: [EventBroker] [info] Regenerated the private key and certificate for the event broker.

Anonymous · ‎2014-09-10

This issue resolved. My colleague help me by installing the nw-erlang and stop / start the rabbitmq and nwlogcollector.

xavierferrier · ‎2014-10-14

We had the same issue. We solved it by removing and "re-adding" the VLC. This :

- flushed its AMQP channel / queue and allowed the collection to start

- initiates a handshake between the server and the VLC which exchanging credentials and SSL certificates

Anonymous · ‎2015-02-03

Hello Atreide

Hope you are doing well.

I am facing an challenge while adding the log collectors ip address in the VLC>Config>Log Collectors tab.

So for this reason I am unable to achieve the AIO for logs failover.

My motive is if my first Log decoder ( on AIO1) went down then automatically the VLC start pushing the logs to the second AIO ( which is on AIO 2). But I am not able to achieve the same. Kindly suggest if you have any idea about the same.

and as a part of troubleshooting the logs i find the below logs which menor has also shared.