Article Number
000035524
Applies To
RSA Product Set: NetWitness Platform, Security Analytics
RSA Product/Service Type: User Interface, Security Analytics Server, Log Collector
RSA Version/Condition: 10.6.x, 11.x
Issue
In the NetWitness UI, Admin > Health & Wellness, Alarms tab
There is an alarm for LogCollector Event Processor Exchange Bindings Status with a Value of "Unbounded Exchanges: netflow, windowslegacy" which will not clear.
Task
This NetWitness UI, Health & Wellness alarm indicates that the VLC rabbitmq-server has exchanges
netflow and
windowslegacy created but no bindings were found to a matching queue.
Possible cause could be, but not limited to, the VLC being mistakenly tagged as a Local Collector (LC) instead of a Remote Collector (RC), or the rabbitmq queue was removed but the exchange didn't get removed.
To clear this alarm, you need to delete the
netflow and
windowslegacy exchanges from the VLC rabbitmq-server.
One method is to access VLC rabbitmq-server web interface to delete an existing exchange.
Please refer to the article entitled
How to access the RabbitMQ Web UI on RSA Security Analytics appliances for how to access the rabbitmq-server web interface.
If you are unable to access the VLC rabbitmq-server web interface, this article provides a method to run the command directly on the VLC to delete the exchange without requiring access to the rabbitmq-server web interface.
Resolution
Perform below steps to delete the
netflow and
windowslegacy exchanges from the VLC using the rabbitmqadmin.py script.
- Connect to the VLC via SSH and navigate to the directory, /opt/netwitness/bin
[root@VLC ~]# cd /opt/netwitness/bin
- Verify that the netflow and windowslegacy exchanges exist on the VLC using the rabbitmqadmin.py script.
Sample output:
[root@VLC ~]# ./rabbitmqadmin.py -s -P 15671 -V logcollection -H `grep id /etc/salt/minion |awk '{print $2}'` list exchanges
+---------------+--------------------+---------+-------------+---------+----------+
| vhost | name | type | auto_delete | durable | internal |
+---------------+--------------------+---------+-------------+---------+----------+
| logcollection | | direct | False | True | False |
| logcollection | amq.direct | direct | False | True | False |
| logcollection | amq.fanout | fanout | False | True | False |
| logcollection | amq.headers | headers | False | True | False |
| logcollection | amq.match | headers | False | True | False |
| logcollection | amq.rabbitmq.trace | topic | False | True | True |
| logcollection | amq.topic | topic | False | True | False |
| logcollection | checkpoint | direct | False | True | False |
| logcollection | cmdscript | direct | False | True | False |
| logcollection | file | direct | False | True | False |
| logcollection | netflow | direct | False | True | False |
| logcollection | odbc | direct | False | True | False |
| logcollection | rabbitmq.log | direct | False | True | False |
| logcollection | sdee | direct | False | True | False |
| logcollection | snmptrap | direct | False | True | False |
| logcollection | syslog | direct | False | True | False |
| logcollection | vmware | direct | False | True | False |
| logcollection | windows | direct | False | True | False |
| logcollection | windowslegacy | direct | False | True | False |
+---------------+--------------------+---------+-------------+---------+----------+
- Remove the netflow and windowslegacy exchanges.
[root@VLC ~]# ./rabbitmqadmin.py -s -P 15671 -V logcollection -H `grep id /etc/salt/minion |awk '{print $2}'` delete exchange name=netflow
ERROR:root:code for hash md5 was not found.
Traceback (most recent call last):
File "/usr/lib64/python2.7/hashlib.py", line 129, in <module>
globals()[__func_name] = __get_hash(__func_name)
File "/usr/lib64/python2.7/hashlib.py", line 98, in __get_openssl_constructor
f(usedforsecurity=False)
ValueError: error:3207A06D:lib(50):B_HASH_init:cr new
exchange deleted
[root@VLC ~]# ./rabbitmqadmin.py -s -P 15671 -V logcollection -H `grep id /etc/salt/minion |awk '{print $2}'` delete exchange name=windowslegacy
ERROR:root:code for hash md5 was not found.
Traceback (most recent call last):
File "/usr/lib64/python2.7/hashlib.py", line 129, in <module>
globals()[__func_name] = __get_hash(__func_name)
File "/usr/lib64/python2.7/hashlib.py", line 98, in __get_openssl_constructor
f(usedforsecurity=False)
ValueError: error:3207A06D:lib(50):B_HASH_init:cr new
exchange deleted
- Run the list exchanges command again to verify that no additional netflow and windowslegacy exchange entries are found.
[root@VLC ~]# ./rabbitmqadmin.py -s -P 15671 -V logcollection -H `grep id /etc/salt/minion |awk '{print $2}'` list exchanges
+---------------+--------------------+---------+-------------+---------+----------+
| vhost | name | type | auto_delete | durable | internal |
+---------------+--------------------+---------+-------------+---------+----------+
| logcollection | | direct | False | True | False |
| logcollection | amq.direct | direct | False | True | False |
| logcollection | amq.fanout | fanout | False | True | False |
| logcollection | amq.headers | headers | False | True | False |
| logcollection | amq.match | headers | False | True | False |
| logcollection | amq.rabbitmq.trace | topic | False | True | True |
| logcollection | amq.topic | topic | False | True | False |
| logcollection | checkpoint | direct | False | True | False |
| logcollection | cmdscript | direct | False | True | False |
| logcollection | file | direct | False | True | False |
| logcollection | odbc | direct | False | True | False |
| logcollection | rabbitmq.log | direct | False | True | False |
| logcollection | sdee | direct | False | True | False |
| logcollection | snmptrap | direct | False | True | False |
| logcollection | syslog | direct | False | True | False |
| logcollection | vmware | direct | False | True | False |
| logcollection | windows | direct | False | True | False |
+---------------+--------------------+---------+-------------+---------+----------+
- Confirm after 15 minutes that the NetWitness UI, Admin > Health & Wellness alarm for LogCollector Event Processor Exchange Bindings Status has "CLEARED". Image description
Notes