000029096 - RSA Security Analytics 10.4 log collection fails with the error message "An error occurred publishing to an AMQP channel: NO_ROUTE"

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support on Feb 1, 2018
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000029096
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Log Collector, Security Analytics UI
RSA Version/Condition: 10.4.x
O/S Version: CentOS 6
IssueThe Security Analytics log decoder is failing to consume logs from the local log collector, even though the Event Source is configured correctly.

The /var/log/messages file reports an error similar to the following:

Nov 20 16:03:30 SALOGDECODER nw[23209]: [BufferedChannel] [failure] An error occurred publishing to an AMQP channel: NO_ROUTE, exchange:checkpoint, routing key: checkpoint
CauseThis error indicates a disconnect between the log collector and the log decoder service. If both services reside on the same appliance, it is likely that the log collector was inadvertently configured as a remote collector instead of a local collector.
ResolutionIn order to resolve the issue, perform the following steps:
  1. In the Security Analytics UI, navigate to Administration > Services.
  2. Select the Log Collector service and click on the Edit button.
  3. In the Options section, confirm that the Remote box is unchecked.
  4. Click on the Test Connection button to ensure that the connection is successful.
  5. Click on the Save button.

The Add Service window for the Log Collector.


If the issue persists after making the change above, contact RSA Support and quote this article number for further assistance.
NotesIn order to verify that the events are being collected properly after the change above, follow the steps below.
  1. In the Security Analytics UI, navigate to Administration > Services.
  2. Select the Log Collector service, click the Action button on the far right side, and select View > Config.
  3. Click on the Event Sources tab.
  4. In the Event Categories section, select the appropriate event source.
  5. In the Sources section that populates, select the appropriate source and click the Edit button.
  6. In the Edit Source box, expand the Advanced section and set Debug to on.
  7. Click OK.
  8. In the black menu bar at the top of the screen, click Config and select Logs to change to the log viewer for the Log Collector.

Enabling debug mode on an event source.



If the events are being collected properly, logs similar to the following will be displayed:

Nov 20 16:15:41 SALOGDECODER nw[23209]: [CheckpointCollection] [info] [checkpoint.Checkpoint1] [processing] [WorkUnit] [processing] checkpoint.domain.com:10.1.1.2:Session End:Event count reached(15000)
Nov 20 16:15:41 SALOGDECODER nw[23209]: [CheckpointCollection] [info] [checkpoint.Checkpoint1] [processing] [WorkUnit] [processing] checkpoint.domain.com:10.1.1.2:Session exit reason: The session was ended by the application
Nov 20 16:15:41 SALOGDECODER nw[23209]: [CheckpointCollection] [info] [checkpoint.Checkpoint1] [processing] [WorkUnit] [processing] checkpoint.domain.com:10.1.1.2:Session completed: Total Time(00:00:05.022204) Total Events(15000)

Attachments

    Outcomes