000017544 - At least one VLC queue exists that does not have any consumers in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017544
Applies ToRSA Security Analytics
RSA Security Analytics 10.3
RSA Security Analytics Virtual Log Collector
RabbitMQ Message Broker
IssueAt least one VLC queue exists that does not have any consumers in RSA Security Analytics.

In /var/log/messages on the VLC, an error similar to the following is displayed:



Aug  4 22:20:51 NWAPPLIANCE32722 nw[1434]: [MessageBroker] [warning] warning 2014-08-04T15.20.51Z At least one queue exists that does not have any consumers.  This condition may arise because the Log Collector is not currently running or parts of the system have been shut down.  In some cases this condition may arise becau



The message is truncated in /var/log/message. To obtain the full message, perform the following steps:


  1. In the Security Analytics UI, navigate to Administration -> Devices, select the VLC device, and click on View -> Logs.
  2. On the Historical tab, enter keywords "at least" and click Search.

The full message will be displayed, as shown below.



Warning 2014-08-05T09.00.51Z At least one queue exists that does not have any consumers. This condition may arise because the Log Collector is not currently running or parts of the system have been shut down. In some cases this condition may arise because a queue consumer (such as an event processor or VLC connection) was removed outside of the normal course of operation. The queue names that have no consumers are are: "shovel.sdee.Untitled", "shovel.file.Untitled", "shovel.syslog.Untitled", "shovel.checkpoint.Untitled", "shovel.windows.Untitled", "shovel.vmware.Untitled", "shovel.windowslegacy.Untitled", "shovel.snmptrap.Untitled", "shovel.odbc.Untitled". Make sure that the Log Collector process is running and that all event processors are in the running state. If this warning message persists and you are certain there are no legitimate consumers of these queues, you may delete them via the 'delete' property on the '/event-broker' node. Supply the queue name to delete...."


CauseThis issue occurs because when deleting a destination group in VLC -> Local Collector, it doesn't delete the queues.  It may also occur because the Log Collector is not currently running or parts of the system have been shut down.
Resolution

To delete the 'orphaned' queues listed in the error message:



1. In Security Analytics UI, Navigate to Administration -> Devices, select the VLC device, and click on View -> Explore.


2. Expand event-broker -> Stats -> Queues.


3. Click on each of the queues listed in the error message (See the note below).


4. Check and ensure that "active consumer" is zero (0).


5. Right-click on Event-Broker and select Properties.


6. From the drop down box on properties window, select Delete.


7. In Parameters, enter: queue="shovel.collection type.name" (seen in error message) and click Send.


8. ResponseOutput will show "Success".


NotesWhen viewing the queues in event-broker -> Stats -> Queues, the queue naming convention is: shovel_collection type_name. But when deleting, the naming convention must be (shovel.collection type.name), which is the same as seen on the error message.
Legacy Article IDa67209

Attachments

    Outcomes