000037758 - Rabbitmq Shovel Error Status Code 401 not_authorized Login Failed in RSA NetWitness Platform

Document created by RSA Customer Support Employee on Sep 12, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037758
Applies ToRSA Product Set: RSA Netwitness Log & Network
RSA Product/Service Type: Log Collector
RSA Version/Condition: 11.x
Platform: CentOS 7 
Platform (Other): RabbitMQ
IssueWhen trying to add a Local Collector under the VLC config view, sometimes you might face this error : 
failed to add destination for "LC": "HttpOps: Response returned with status code: 401 Response: {"error":"not_authorised","reason":"Login failed"}"

Another error can be observed under /var/log/messages : 
Jul 24 08:37:43 VLC NwLogCollector[706]: [MessageBrokerLogReceiver] [warning] Unable to start AMQP Log Receiver, Error in constructing AMQPReceiver: connection error: 403: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.

This issue could happen due to having a missing/misconfigured user in the rabbitmq service.

By default, when you list the rabbitmq users on a VLC you should find the below users:

User-added image
Some of the causes of this error might be due to having the "logcollector" user missing or misconfigured with the wrong tags or permissions.


    To fix it, try the below steps:

    1. First, create the user named "logcollector" with the default password "netwitness" using this command : rabbitmqctl add_user logcollector netwitness.
    2. Afterwards, if you tail /var/log/messages, you might be faced with this error : User-added image
    3. We need to set the correct permissions for the "logcollector" user on the "logcollection" vhost to fix this. 
    4. Set the appropriate tag on the user "logcollector" (administrator) using : rabbitmqctl set_user_tags logcollector administrator
    5. Then to set the permissions use : rabbitmqctl set_permissions -p logcollection logcollector ".*" ".*" ".*"   this sets the permissions for the user "logcollector" on the vhost "logcollection" to config, read and write.
    6. Sometimes you may be faced with another error that might appear as the following after performing all the steps aboveUser-added image
    7. To fix this, take a backup of the shovel_config file : cp /etc/rabbitmq/shovel_config /etc/rabbitmq/shovel_config_old and then remove it  rm -rf /etc/rabbitmq/shovel_config. 
    8. Restart the rabbitmq service : systemctl restart rabbitmq-server
    NotesThe default password for the "logcollector" user should be "netwitness". Otherwise, you may be faced with the same error.