000029814 - Security Analytics Log collection fails with the error message "An error occurred publishing to an AMQP channel: NO_ROUTE" in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000029814
Applies ToSA Product Set: Security Analytics

RSA Product/Service Type: Virtual Log Collector, Windows Legacy Collector

RSA Version/Condition: 10.x

O/S Version: CentOS 6
IssueThe Security Analytics Virtual Log Collector is failing to send events to the Local Log Collector.
/var/log/messages in the Virtual Log Collector shows an error similar to the following:

Feb 26 17:48:38 vlc nw[3957]: [BufferedChannel] [failure] An error occurred publishing to an AMQP channel: NO_ROUTE, exchange: sdee, routing key: sdee
The error above means that the Virtual Log Collector is receiving sdee events but is unable to send these events to the Local Log Collector.
 
CauseThis issue is caused if:
  • there is no destination set for the Virtual Log Collector or a specific collection is missing from the destination.
  • there is no source set for the Local Log Collector or a specific collection is missing from the source
The error above mentioned shows the sdee collection is missing from the Local Collector destination as shown below:
User-added image 
In fact only File and Windows collections are configured in this case.
The same issue may occur if the Local Log Collector is configured to pull logs from the Virtual Log collector as shown below:
User-added image
ResolutionIf the Virtual Log Collector is pushing logs to the Local Log Collector:
  1. In the Security Analytics UI, navigate to Administration -> Services.
  2. Select the Virtual Log Collector service and click on the View -> Config button.
  3. Select the Local Collectors tab
  4. make sure a destination collector is present, if not add it and also add the collections that you would like (sdee in this specific example):
User-added image
If the Local Log Collector is pulling logs from the Virtual Log Collector:
  1. In the Security Analytics UI, navigate to Administration -> Services.
  2. Select the Local Log Collector service and click on the View -> Config button.
  3. Select the Remote Collectors tab
  4. make sure a source collector is present, if not add it and also add the collections that you would like (sdee in this specific example):
User-added image
NotesThe same error may be caused by another issue described in the following KB article:
Security Analytics Log collection fails with the error message "An error occurred publishing to an AMQP channel: NO_ROUTE" in RSA Security Analytics 10.4
 

Attachments

    Outcomes