000029444 - Unable to configure a Virtual Log Collector (VLC) to push logs to a Local Collector on an RSA Security Analytics All-In-One appliance

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000029444
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Log Collector, Virtual Log Collector (VLC) 
RSA Version/Condition: 10.4.x
IssueObserve that when configuring a Virtual Log Collector to push logs to a Local Collector,  the error "Shovel Failed" is thrown in the UI and  the added Local Collector will be in a red status:
User-added image  

The /var/log/messages file on the Virtual Log Collector displays the following errors:
Jan 19 17:01:18 vlc nw[8407]: [MessageBroker] [failure] error 2015-01-19T17.01.18Z closing AMQP connection <0.7502.0> (127.0.0.1:51240 -> 127.0.0.1:5671):{handshake_error,opening,0,                 {amqp_error,access_refused,                             "access to vhost 'logcollection' refused for user '669e89b0-64db-4b4f-93d3-da7b62f20fed'",                             'connection.open'}}
Jan 19 17:01:18 vlc nw[8407]: [MessageBroker] [warning] warning 2015-01-19T17.01.18Z Shovel failed to connect to Host: "127.0.0.1" Port: 5671 VirtualHost: <<"logcollection">>: error:{badmatch,                                                                                                  {error,                                                                                                   access_refused}}
Jan 19 17:01:18 vlc nw[8407]: [MessageBroker] [warning] warning 2015-01-19T17.01.18Z Shovel failed to connect to Host: "127.0.0.1" Port: undefined VirtualHost: <<"logcollection">>: error:{badmatch,                                                                                                       {error,                                                                                                        {tls_alert,                                                                                                         "unknown ca"}}}
Jan 20 10:03:28 vlc nw[8407]: [MessageBroker] [failure] error 2015-01-20T10.03.28Z nw_shovel_worker:init failed: no_endpoints! Retrying in 30 seconds.
Jan 20 10:03:33 vlc nw[8407]: [MessageBroker] [failure] error 2015-01-20T10.03.33Z error on AMQP connection <0.8620.26>:{ssl_upgrade_error,{tls_alert,"unknown ca"}}
Jan 20 10:03:33 vlc nw[8407]: [MessageBroker] [failure] error 2015-01-20T10.03.33Z error on AMQP connection <0.8645.26>:{ssl_upgrade_error,{tls_alert,"unknown ca"}}
Jan 20 10:03:33 vlc nw[8407]: [MessageBroker] [failure] error 2015-01-20T10.03.33Z error on AMQP connection <0.8653.26>:{ssl_upgrade_error,{tls_alert,"unknown ca"}}
Jan 20 10:03:33 vlc nw[8407]: [MessageBroker] [failure] error 2015-01-20T10.03.33Z error on AMQP connection <0.8649.26>:{ssl_upgrade_error,{tls_alert,"unknown ca"}}
Jan 20 10:03:33 vlc nw[8407]: [MessageBroker] [failure] error 2015-01-20T10.03.33Z error on AMQP connection <0.8657.26>:{ssl_upgrade_error,{tls_alert,"unknown ca"}}
Jan 20 10:03:33 vlc nw[8407]: [MessageBroker] [failure] error 2015-01-20T10.03.33Z error on AMQP connection <0.8661.26>:{ssl_upgrade_error,{tls_alert,"unknown ca"}}
Jan 20 10:03:33 vlc nw[8407]: [MessageBroker] [failure] error 2015-01-20T10.03.33Z error on AMQP connection <0.8665.26>:{ssl_upgrade_error,{tls_alert,"unknown ca"}}
Jan 20 10:03:33 vlc nw[8407]: [MessageBroker] [failure] error 2015-01-20T10.03.33Z error on AMQP connection <0.8669.26>:{ssl_upgrade_error,{tls_alert,"unknown ca"}}
Jan 20 10:03:33 vlc nw[8407]: [MessageBroker] [failure] error 2015-01-20T10.03.33Z error on AMQP connection <0.8673.26>:{ssl_upgrade_error,{tls_alert,"unknown ca"}}


Further investigation shows that If the Local Collector service has been configured to use the loopback interface address (127.0.0.1) instead of the local physical IP address (eg. 192.168.1.100) in the SA UI appliance view, this problem will occur.


 
ResolutionThe workaround is to configure all the AIO services (included the log collector) to use the physical IP address instead of the loopback IP except for the Reporting Engine.
(For more information, refer to the related page in the RSA Security Analytics 10.4 User Guide.)
Observe these screenshots:
User-added image
User-added image


 
NotesA similar issue may occur on a Windows Legacy Collector.
For more information, refer to the knowledgebase article Security Analytics 10.4: unable to receive logs when configuring a Windows Legacy Collector to push logs to a Local Collector on a All-In-One appliance.

Attachments

    Outcomes