Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000029814 - Security Analytics Log collection fails with the error message "An error occurred publishing to an AMQP channel: NO_ROUTE" in RSA Security Analytics

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support

on Apr 21, 2017

Version 3Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000029814
Applies To	SA Product Set: Security Analytics RSA Product/Service Type: Virtual Log Collector, Windows Legacy Collector RSA Version/Condition: 10.x O/S Version: CentOS 6
Issue	The Security Analytics Virtual Log Collector is failing to send events to the Local Log Collector. /var/log/messages in the Virtual Log Collector shows an error similar to the following: Feb 26 17:48:38 vlc nw[3957]: [BufferedChannel] [failure] An error occurred publishing to an AMQP channel: NO_ROUTE, exchange: sdee, routing key: sdee The error above means that the Virtual Log Collector is receiving sdee events but is unable to send these events to the Local Log Collector.
Cause	This issue is caused if: there is no destination set for the Virtual Log Collector or a specific collection is missing from the destination. there is no source set for the Local Log Collector or a specific collection is missing from the source The error above mentioned shows the sdee collection is missing from the Local Collector destination as shown below: In fact only File and Windows collections are configured in this case. The same issue may occur if the Local Log Collector is configured to pull logs from the Virtual Log collector as shown below:
Resolution	If the Virtual Log Collector is pushing logs to the Local Log Collector: In the Security Analytics UI, navigate to Administration -> Services. Select the Virtual Log Collector service and click on the View -> Config button. Select the Local Collectors tab make sure a destination collector is present, if not add it and also add the collections that you would like (sdee in this specific example): If the Local Log Collector is pulling logs from the Virtual Log Collector: In the Security Analytics UI, navigate to Administration -> Services. Select the Local Log Collector service and click on the View -> Config button. Select the Remote Collectors tab make sure a source collector is present, if not add it and also add the collections that you would like (sdee in this specific example):
Notes	The same error may be caused by another issue described in the following KB article: Security Analytics Log collection fails with the error message "An error occurred publishing to an AMQP channel: NO_ROUTE" in RSA Security Analytics 10.4

Attachments

Outcomes

0 Comments

Recommended Content