Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000017544 - At least one VLC queue exists that does not have any consumers in RSA Security Analytics

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support

on Apr 21, 2017

Version 2Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000017544
Applies To	RSA Security Analytics RSA Security Analytics 10.3 RSA Security Analytics Virtual Log Collector RabbitMQ Message Broker
Issue	At least one VLC queue exists that does not have any consumers in RSA Security Analytics. In /var/log/messages on the VLC, an error similar to the following is displayed: Aug 4 22:20:51 NWAPPLIANCE32722 nw[1434]: [MessageBroker] [warning] warning 2014-08-04T15.20.51Z At least one queue exists that does not have any consumers. This condition may arise because the Log Collector is not currently running or parts of the system have been shut down. In some cases this condition may arise becau The message is truncated in /var/log/message. To obtain the full message, perform the following steps: In the Security Analytics UI, navigate to Administration -> Devices, select the VLC device, and click on View -> Logs. On the Historical tab, enter keywords "at least" and click Search. The full message will be displayed, as shown below. Warning 2014-08-05T09.00.51Z At least one queue exists that does not have any consumers. This condition may arise because the Log Collector is not currently running or parts of the system have been shut down. In some cases this condition may arise because a queue consumer (such as an event processor or VLC connection) was removed outside of the normal course of operation. The queue names that have no consumers are are: "shovel.sdee.Untitled", "shovel.file.Untitled", "shovel.syslog.Untitled", "shovel.checkpoint.Untitled", "shovel.windows.Untitled", "shovel.vmware.Untitled", "shovel.windowslegacy.Untitled", "shovel.snmptrap.Untitled", "shovel.odbc.Untitled". Make sure that the Log Collector process is running and that all event processors are in the running state. If this warning message persists and you are certain there are no legitimate consumers of these queues, you may delete them via the 'delete' property on the '/event-broker' node. Supply the queue name to delete...."
Cause	This issue occurs because when deleting a destination group in VLC -> Local Collector, it doesn't delete the queues. It may also occur because the Log Collector is not currently running or parts of the system have been shut down.
Resolution	To delete the 'orphaned' queues listed in the error message: 1. In Security Analytics UI, Navigate to Administration -> Devices, select the VLC device, and click on View -> Explore. 2. Expand event-broker -> Stats -> Queues. 3. Click on each of the queues listed in the error message (See the note below). 4. Check and ensure that "active consumer" is zero (0). 5. Right-click on Event-Broker and select Properties. 6. From the drop down box on properties window, select Delete. 7. In Parameters, enter: queue="shovel.collection type.name" (seen in error message) and click Send. 8. ResponseOutput will show "Success".
Notes	When viewing the queues in event-broker -> Stats -> Queues, the queue naming convention is: shovel_collection type_name. But when deleting, the naming convention must be (shovel.collection type.name), which is the same as seen on the error message.
Legacy Article ID	a67209

Attachments

Outcomes

0 Comments

Recommended Content

Incoming Links

Re: Not Reporting Windows Devices
000031697 - Failed to update remote destination error after modifying IP failover order on RSA Security Analytics virtual log collector (VLC)