Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000029814 - Log collection fails in the RSA NetWitness Platform with the error message "An error occurred publishing to an AMQP channel: NO_ROUTE"

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support on Aug 30, 2019

Version 4Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000029814
Applies To	RSA Product Set: NetWitness Logs & Network RSA Product/Service Type: Virtual Log Collector (VLC), Windows Legacy Collector (WLC) RSA Version/Condition: 10.6.x, 11.x O/S Version: CentOS
Issue	The Virtual Log Collector or Window Legacy Collector is failing to send events to the Local Log Collector. The /var/log/messages file in the Virtual Log Collector shows an error similar to the following: Feb 26 17:48:38 vlc nw[3957]: [BufferedChannel] [failure] An error occurred publishing to an AMQP channel: NO_ROUTE, exchange: sdee, routing key: sdee The error above indicates that the Virtual Log Collector is receiving SDEE events but is unable to send these events to the Local Log Collector.
Cause	This issue is caused if: There is no destination set for the Virtual Log Collector or a specific collection is missing from the destination. There is no source set for the Local Log Collector or a specific collection is missing from the source The error above mentioned shows the sdee collection is missing from the Local Collector destination as shown below: In this example only File and Windows collections are configured. The same issue may occur if the Local Log Collector is configured to pull logs from the Virtual Log collector as shown below:
Resolution	If the Virtual Log Collector is pushing logs to the Local Log Collector: In the RSA NetWitness Platform UI, navigate to Administration > Services Select the Virtual Log Collector service and click on the View > Config button Select the Local Collectors tab Make sure a destination collector is present, if not add it and also add the collections that you would like (sdee in this specific example): If the Local Log Collector is pulling logs from the Virtual Log Collector: In the RSA NetWitness Platform UI, navigate to Administration > Services. Select the Local Log Collector service and click on the View > Config button. Select the Remote Collectors tab Make sure a source collector is present, if not add it and also add the collections that you would like (sdee in this specific example):
Notes	The same error may be caused by another issue described in the following article: Security Analytics Log collection fails with the error message "An error occurred publishing to an AMQP channel: NO_ROUTE" in RSA Security Analytics

Attachments

Outcomes

0 Comments

Recommended Content