Article Number
000035524
Applies To
RSA Product Set: NetWitness Platform, Security Analytics
RSA Product/Service Type: User Interface, Security Analytics Server, Log Collector
RSA Version/Condition: 10.6.x, 11.x
RSA Product/Service Type: User Interface, Security Analytics Server, Log Collector
RSA Version/Condition: 10.6.x, 11.x
Issue
In the NetWitness UI, Admin > Health & Wellness, Alarms tab
There is an alarm for LogCollector Event Processor Exchange Bindings Status with a Value of "Unbounded Exchanges: netflow, windowslegacy" which will not clear.
There is an alarm for LogCollector Event Processor Exchange Bindings Status with a Value of "Unbounded Exchanges: netflow, windowslegacy" which will not clear.
Task
This NetWitness UI, Health & Wellness alarm indicates that the VLC rabbitmq-server has exchanges netflow and windowslegacy created but no bindings were found to a matching queue.
Possible cause could be, but not limited to, the VLC being mistakenly tagged as a Local Collector (LC) instead of a Remote Collector (RC), or the rabbitmq queue was removed but the exchange didn't get removed.
To clear this alarm, you need to delete the netflow and windowslegacy exchanges from the VLC rabbitmq-server.
One method is to access VLC rabbitmq-server web interface to delete an existing exchange.
Please refer to the article entitled How to access the RabbitMQ Web UI on RSA Security Analytics appliances for how to access the rabbitmq-server web interface.
If you are unable to access the VLC rabbitmq-server web interface, this article provides a method to run the command directly on the VLC to delete the exchange without requiring access to the rabbitmq-server web interface.
Possible cause could be, but not limited to, the VLC being mistakenly tagged as a Local Collector (LC) instead of a Remote Collector (RC), or the rabbitmq queue was removed but the exchange didn't get removed.
To clear this alarm, you need to delete the netflow and windowslegacy exchanges from the VLC rabbitmq-server.
One method is to access VLC rabbitmq-server web interface to delete an existing exchange.
Please refer to the article entitled How to access the RabbitMQ Web UI on RSA Security Analytics appliances for how to access the rabbitmq-server web interface.
If you are unable to access the VLC rabbitmq-server web interface, this article provides a method to run the command directly on the VLC to delete the exchange without requiring access to the rabbitmq-server web interface.
Resolution
Perform below steps to delete the netflow and windowslegacy exchanges from the VLC using the rabbitmqadmin.py script.
- Connect to the VLC via SSH and navigate to the directory, /opt/netwitness/bin
[root@VLC ~]# cd /opt/netwitness/bin - Verify that the netflow and windowslegacy exchanges exist on the VLC using the rabbitmqadmin.py script.
Sample output: [root@VLC ~]# ./rabbitmqadmin.py -s -P 15671 -V logcollection -H `grep id /etc/salt/minion |awk '{print $2}'` list exchanges +---------------+--------------------+---------+-------------+---------+----------+ | vhost | name | type | auto_delete | durable | internal | +---------------+--------------------+---------+-------------+---------+----------+ | logcollection | | direct | False | True | False | | logcollection | amq.direct | direct | False | True | False | | logcollection | amq.fanout | fanout | False | True | False | | logcollection | amq.headers | headers | False | True | False | | logcollection | amq.match | headers | False | True | False | | logcollection | amq.rabbitmq.trace | topic | False | True | True | | logcollection | amq.topic | topic | False | True | False | | logcollection | checkpoint | direct | False | True | False | | logcollection | cmdscript | direct | False | True | False | | logcollection | file | direct | False | True | False | | logcollection | netflow | direct | False | True | False | | logcollection | odbc | direct | False | True | False | | logcollection | rabbitmq.log | direct | False | True | False | | logcollection | sdee | direct | False | True | False | | logcollection | snmptrap | direct | False | True | False | | logcollection | syslog | direct | False | True | False | | logcollection | vmware | direct | False | True | False | | logcollection | windows | direct | False | True | False | | logcollection | windowslegacy | direct | False | True | False | +---------------+--------------------+---------+-------------+---------+----------+ - Remove the netflow and windowslegacy exchanges.
[root@VLC ~]# ./rabbitmqadmin.py -s -P 15671 -V logcollection -H `grep id /etc/salt/minion |awk '{print $2}'` delete exchange name=netflow ERROR:root:code for hash md5 was not found. Traceback (most recent call last): File "/usr/lib64/python2.7/hashlib.py", line 129, in <module> globals()[__func_name] = __get_hash(__func_name) File "/usr/lib64/python2.7/hashlib.py", line 98, in __get_openssl_constructor f(usedforsecurity=False) ValueError: error:3207A06D:lib(50):B_HASH_init:cr new exchange deleted [root@VLC ~]# ./rabbitmqadmin.py -s -P 15671 -V logcollection -H `grep id /etc/salt/minion |awk '{print $2}'` delete exchange name=windowslegacy ERROR:root:code for hash md5 was not found. Traceback (most recent call last): File "/usr/lib64/python2.7/hashlib.py", line 129, in <module> globals()[__func_name] = __get_hash(__func_name) File "/usr/lib64/python2.7/hashlib.py", line 98, in __get_openssl_constructor f(usedforsecurity=False) ValueError: error:3207A06D:lib(50):B_HASH_init:cr new exchange deleted - Run the list exchanges command again to verify that no additional netflow and windowslegacy exchange entries are found.
[root@VLC ~]# ./rabbitmqadmin.py -s -P 15671 -V logcollection -H `grep id /etc/salt/minion |awk '{print $2}'` list exchanges +---------------+--------------------+---------+-------------+---------+----------+ | vhost | name | type | auto_delete | durable | internal | +---------------+--------------------+---------+-------------+---------+----------+ | logcollection | | direct | False | True | False | | logcollection | amq.direct | direct | False | True | False | | logcollection | amq.fanout | fanout | False | True | False | | logcollection | amq.headers | headers | False | True | False | | logcollection | amq.match | headers | False | True | False | | logcollection | amq.rabbitmq.trace | topic | False | True | True | | logcollection | amq.topic | topic | False | True | False | | logcollection | checkpoint | direct | False | True | False | | logcollection | cmdscript | direct | False | True | False | | logcollection | file | direct | False | True | False | | logcollection | odbc | direct | False | True | False | | logcollection | rabbitmq.log | direct | False | True | False | | logcollection | sdee | direct | False | True | False | | logcollection | snmptrap | direct | False | True | False | | logcollection | syslog | direct | False | True | False | | logcollection | vmware | direct | False | True | False | | logcollection | windows | direct | False | True | False | +---------------+--------------------+---------+-------------+---------+----------+ - Confirm after 15 minutes that the NetWitness UI, Admin > Health & Wellness alarm for LogCollector Event Processor Exchange Bindings Status has "CLEARED".
Image description
Notes
- Make sure this Health & Wellness alarm is from a VLC.
- This method can also apply to other collection exchanges that do not have any bindings. Simply change the exchange name in the delete command.
For example, to delete the syslog exchange you would issue the command below../rabbitmqadmin.py -s -P 15671 -V logcollection -H `grep id /etc/salt/minion |awk '{print $2}'` delete exchange name=syslog
In this article
