This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base Archive
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • NetWitness Knowledge Base Archive
  • RSA NetWitness Health & Wellness status alarm "LogCollector Event Processor Exchange Bindings Status...
  • Options
    • Subscribe to RSS Feed
    • Bookmark
    • Subscribe
    • Email to a Friend
    • Printer Friendly Page
    • Report Inappropriate Content

RSA NetWitness Health & Wellness status alarm "LogCollector Event Processor Exchange Bindings Status" will not clear

Article Number

000035524

Applies To

RSA Product Set: NetWitness Platform, Security Analytics
RSA Product/Service Type: User Interface, Security Analytics Server, Log Collector
RSA Version/Condition: 10.6.x, 11.x
 

Issue

In the NetWitness UI, Admin > Health & Wellness, Alarms tab

There is an alarm for LogCollector Event Processor Exchange Bindings Status with a Value of "Unbounded Exchanges: netflow, windowslegacy" which will not clear.

Task

This NetWitness UI, Health & Wellness alarm indicates that the VLC rabbitmq-server has exchanges netflow and windowslegacy created but no bindings were found to a matching queue.

Possible cause could be, but not limited to, the VLC being mistakenly tagged as a Local Collector (LC) instead of a Remote Collector (RC), or the rabbitmq queue was removed but the exchange didn't get removed.

To clear this alarm, you need to delete the netflow and windowslegacy exchanges from the VLC rabbitmq-server.

One method is to access VLC rabbitmq-server web interface to delete an existing exchange.

Please refer to the article entitled How to access the RabbitMQ Web UI on RSA Security Analytics appliances for how to access the rabbitmq-server web interface.

If you are unable to access the VLC rabbitmq-server web interface, this article provides a method to run the command directly on the VLC to delete the exchange without requiring access to the rabbitmq-server web interface.

Resolution

Perform below steps to delete the netflow and windowslegacy exchanges from the VLC using the rabbitmqadmin.py script.
  1. Connect to the VLC via SSH and navigate to the directory, /opt/netwitness/bin
    
    [root@VLC ~]# cd /opt/netwitness/bin
  2. Verify that the netflow and windowslegacy exchanges exist on the VLC using the rabbitmqadmin.py script.
    
    Sample output:
    [root@VLC ~]# ./rabbitmqadmin.py -s -P 15671 -V logcollection -H `grep id /etc/salt/minion |awk '{print $2}'` list exchanges
    +---------------+--------------------+---------+-------------+---------+----------+
    |     vhost     |        name        |  type   | auto_delete | durable | internal |
    +---------------+--------------------+---------+-------------+---------+----------+
    | logcollection |                    | direct  | False       | True    | False    |
    | logcollection | amq.direct         | direct  | False       | True    | False    |
    | logcollection | amq.fanout         | fanout  | False       | True    | False    |
    | logcollection | amq.headers        | headers | False       | True    | False    |
    | logcollection | amq.match          | headers | False       | True    | False    |
    | logcollection | amq.rabbitmq.trace | topic   | False       | True    | True     |
    | logcollection | amq.topic          | topic   | False       | True    | False    |
    | logcollection | checkpoint         | direct  | False       | True    | False    |
    | logcollection | cmdscript          | direct  | False       | True    | False    |
    | logcollection | file               | direct  | False       | True    | False    |
    | logcollection | netflow            | direct  | False       | True    | False    |
    | logcollection | odbc               | direct  | False       | True    | False    |
    | logcollection | rabbitmq.log       | direct  | False       | True    | False    |
    | logcollection | sdee               | direct  | False       | True    | False    |
    | logcollection | snmptrap           | direct  | False       | True    | False    |
    | logcollection | syslog             | direct  | False       | True    | False    |
    | logcollection | vmware             | direct  | False       | True    | False    |
    | logcollection | windows            | direct  | False       | True    | False    |
    | logcollection | windowslegacy      | direct  | False       | True    | False    |
    +---------------+--------------------+---------+-------------+---------+----------+
  3. Remove the netflow and windowslegacy exchanges.
    
    [root@VLC ~]# ./rabbitmqadmin.py -s -P 15671 -V logcollection -H `grep id /etc/salt/minion |awk '{print $2}'` delete exchange name=netflow
    ERROR:root:code for hash md5 was not found.
    Traceback (most recent call last):
      File "/usr/lib64/python2.7/hashlib.py", line 129, in <module>
        globals()[__func_name] = __get_hash(__func_name)
      File "/usr/lib64/python2.7/hashlib.py", line 98, in __get_openssl_constructor
        f(usedforsecurity=False)
    ValueError: error:3207A06D:lib(50):B_HASH_init:cr new
    exchange deleted
    [root@VLC ~]# ./rabbitmqadmin.py -s -P 15671 -V logcollection -H `grep id /etc/salt/minion |awk '{print $2}'` delete exchange name=windowslegacy
    ERROR:root:code for hash md5 was not found.
    Traceback (most recent call last):
      File "/usr/lib64/python2.7/hashlib.py", line 129, in <module>
        globals()[__func_name] = __get_hash(__func_name)
      File "/usr/lib64/python2.7/hashlib.py", line 98, in __get_openssl_constructor
        f(usedforsecurity=False)
    ValueError: error:3207A06D:lib(50):B_HASH_init:cr new
    exchange deleted
    
  4. Run the list exchanges command again to verify that no additional netflow and windowslegacy exchange entries are found.
    
    [root@VLC ~]# ./rabbitmqadmin.py -s -P 15671 -V logcollection -H `grep id /etc/salt/minion |awk '{print $2}'` list exchanges
    +---------------+--------------------+---------+-------------+---------+----------+
    |     vhost     |        name        |  type   | auto_delete | durable | internal |
    +---------------+--------------------+---------+-------------+---------+----------+
    | logcollection |                    | direct  | False       | True    | False    |
    | logcollection | amq.direct         | direct  | False       | True    | False    |
    | logcollection | amq.fanout         | fanout  | False       | True    | False    |
    | logcollection | amq.headers        | headers | False       | True    | False    |
    | logcollection | amq.match          | headers | False       | True    | False    |
    | logcollection | amq.rabbitmq.trace | topic   | False       | True    | True     |
    | logcollection | amq.topic          | topic   | False       | True    | False    |
    | logcollection | checkpoint         | direct  | False       | True    | False    |
    | logcollection | cmdscript          | direct  | False       | True    | False    |
    | logcollection | file               | direct  | False       | True    | False    |
    | logcollection | odbc               | direct  | False       | True    | False    |
    | logcollection | rabbitmq.log       | direct  | False       | True    | False    |
    | logcollection | sdee               | direct  | False       | True    | False    |
    | logcollection | snmptrap           | direct  | False       | True    | False    |
    | logcollection | syslog             | direct  | False       | True    | False    |
    | logcollection | vmware             | direct  | False       | True    | False    |
    | logcollection | windows            | direct  | False       | True    | False    |
    +---------------+--------------------+---------+-------------+---------+----------+
    
  5. Confirm after 15 minutes that the NetWitness UI, Admin > Health & Wellness alarm for LogCollector Event Processor Exchange Bindings Status has "CLEARED". Image descriptionImage description

Notes

  • Make sure this Health & Wellness alarm is from a VLC.
  • This method can also apply to other collection exchanges that do not have any bindings.  Simply change the exchange name in the delete command.
     
    For example, to delete the syslog exchange you would issue the command below.
    
    ./rabbitmqadmin.py -s -P 15671 -V logcollection -H `grep id /etc/salt/minion |awk '{print $2}'` delete exchange name=syslog
Tags (76)
  • 10.6
  • 10.6.x
  • 10.x
  • 11.x
  • Appliance
  • Break Fix
  • Break Fix Issue
  • Broken
  • Broker
  • Broker Appliance
  • Community
  • Community Issue
  • Core Appliance
  • Customer Support Article
  • Error
  • Error Message
  • GUI
  • GUI Error
  • GUI Warning
  • Head Unit
  • HeadUnit
  • Improper Behavior
  • Incorrect Behavior
  • Issue
  • Issues
  • Jive
  • Jive Issue
  • KB Article
  • Knowledge Article
  • Knowledge Base
  • Link Issue
  • Log Collection
  • Log Collector
  • NetWitness
  • NetWitness Appliance
  • NetWitness Broker
  • NetWitness Head Unit
  • NetWitness Platform
  • NetWitness Server
  • NetWitness UI
  • NW
  • NW Appliance
  • NwBroker
  • NwLogCollector
  • Odd Behavior
  • Problem
  • RSA Link
  • RSA Link Issue
  • RSA NetWitness
  • RSA NetWitness Platform
  • RSA NetWitness UI
  • RSA Security Analytics
  • RSA Security Analytics UI
  • Security Analytics
  • Security Analytics Server
  • Security Analytics UI
  • SIEM
  • Strange Behavior
  • Support Portal
  • UI
  • UI Error
  • UI Issue
  • UI Server
  • UI Warning
  • User Interface
  • User Interface Issue
  • Version 10
  • Version 10.6
  • Version 10.6.x
  • Version 10.x
  • Version 11
  • Version 11.x
  • Warning
  • Warning Message
  • Web Interface
  • Website Issue
0 Likes
Was this article helpful? Yes No
Share
No ratings

In this article

Version history
Last update:
‎2021-08-20 10:10 AM
Updated by:
Administrator RSA-KB-Sync Administrator

Related Content

Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.