000017679 - Error message 'NWLogdecoder AMQP channel: Connection refused' is displayed in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017679
Applies ToRSA Security Analytics
RSA Security Analytics Log Decoder
RSA Security Analytics
RabbitMQ Message Broker
IssueError message "NWLogdecoder AMQP channel: Connection refused" is displayed in RSA Security Analytics.

If the log collector is unable to reach the message broker, errors similar to the following will be reported:



Mar  2 05:13:03 NWLOGDECODER nw[2482]: [MessageBrokerStats] [failure] Message-Broker Statistics: failed to get statistics /api/nodes
Mar  2 05:13:03 NWLOGDECODER nw[2482]: [AMQPClientBase] [failure] An error occurred creating an AMQP channel: Connection refused
Mar  2 05:13:03 NWLOGDECODER nw[2482]: [LogdecoderProcessor] [failure] [queue.checkpoint] [idle] Failed during getWork: Connection refused
Mar  2 05:13:03 NWLOGDECODER nw[2482]: [MessageBrokerStats] [failure] Message-Broker Statistics: failed to get statistics /api/shovels
Mar  2 05:13:03 NWLOGDECODER nw[2482]: [AMQPClientBase] [failure] An error occurred creating an AMQP channel: Connection refused
Mar  2 05:13:03 NWLOGDECODER nw[2482]: [LogdecoderProcessor] [failure] [queue.file] [idle] Failed during getWork: Connection refused
Mar  2 05:13:03 NWLOGDECODER nw[2482]: [AMQPClientBase] [failure] An error occurred creating an AMQP channel: Connection refused
Mar  2 05:13:03 NWLOGDECODER nw[2482]: [LogdecoderProcessor] [failure] [queue.odbc] [idle] Failed during getWork: Connection refused


CauseThis issue is caused when the Message Broker is not running, or when the Message Broker connection settings are incorrect.
Resolution

In order to resolve the issue, reset the Message Broker configuration manually by following the steps below.


  1. Connect to the log decoder appliance via SSH as the root user.
  2. Stop the log collector service with the following command:  stop nwlogcollector
  3. Stop the event-broker service by issuing the following command:  stop rabbitmq
  4. Reset the RabbitMQ configuration file with the following command:  cp /opt/netwitness/etc/rabbitmq-base-config /etc/netwitness/ng/rabbitmq/config/rabbitmq.config
  5. Restart the event-broker service with the following command:  start rabbitmq
  6. Restart the log collector service with the following command:  start nwlogcollector

NOTE:  The Message Broker reset procedure can also be done via the Security Analytics UI via the Explore interface on the Log Collector device.


 


If the problem persists, delete the queues and restart RabbitMQ by issuing the commands below.


  1. rm /var/netwitness/logcollector/rabbitmq/mnesia/logcollector@localhost/queues/.
  2. start rabbitmq

 


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Notes

File Locations:


  1. Log: /var/netwitness/logcollector/rabbitmq/log/logcollector@localhost.log
  2. Database: /var/netwitness/logcollector/rabbitmq/mnesia/logcollector@localhost
  3. RabbitMQ Config file: /etc/netwitness/ng/rabbitmq/config/rabbitmq.config

 


Users can manually test the connection to event broker using OpenSSL by issuing the following commands:


  1. cd /etc/netwitness/ng/rabbitmq/
  2. openssl s_client -connect 127.0.0.1:5671 -key /etc/netwitness/ng/rabbitmq/ssl/keys/privkey.pem -cert /etc/netwitness/ng/rabbitmq/ssl/keys/cert.pem -CAfile ssl/cacert.pem -tls1
Legacy Article IDa64663

Attachments

    Outcomes