000033313 - One or more Custom log decoder event processors exist while opening the config tab of Remote Collector in RSA Security Analytics

Document created by RSA Customer Support Employee on May 9, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000033313
Applies ToRSA Product Set:- Security Analytics 
RSA Product/Service Type:- Remote log collector,Log Decoder, Local Collector
RSA Version/Condition:10.6.x
Platform: CentOS
IssueThe error message below occurs when going to the Config tab of a Remote Collector.
One or more custom log decoder event processors exist. You may delete them by going to the explore view menu.Note that any of the event data stored in a queue will be lost as the result of a delete operation.

User-added image

The error below is logged when deleting the queues using the following knowledge article: At least one VLC queue exists that does not have any consumers in RSA Security Analytics

[LogdecoderProcessor] [failure] [queue.checkpoint] [processing] [Receiver WorkUnit] [processing] LogDecoder processor error from queue LogDecoder.SG_HK.checkpoint at location Reason: Consumer was cancelled: amq.ctag-dTKvrwnUsqdo0ipZS2imCw Jun 3 05:49:25 srahkgsav99 NwLogCollector[11070]: [LogdecoderProcessor] [failure] [queue.checkpoint] [processing] [Receiver WorkUnit] [processing failure] srxhkrsalh01-LogDecoder:WrkUnit[11] Processing failed

In addition, you can see two queues for each collection with active consumers, which can be verified by issuing the command below on the VLC.
rabbitmqctl list_queues -p logcollection consumers name messages

The error can also occur when switching a VLC type from "LC" to "RC", and there is some remaining Local Collector configuration.
For more information refer to the following knowledge article: RSA Security Analytics syslog option is missing on a virtual log collector (VLC) in version 10.6
CauseA possible cause is due to a manual adding of a secondary event processor to forward logs out to a non-SA system.
This can be confirmed in the RSA Security Analytics UI by navigating to Services > VLC > Explore view > Event Processor.

How to delete the customized event-processor from explore view of remote collector

  1. In the RSA Security Analytics UI, navigate to Administration -> Devices, select the VLC device, and click on View > Explore.
  2. Right-click on Event-Processor and select Properties.
  3. From the drop down box on properties window, select Remove.
  4. In Parameters, enter: name="{somename}" and click Send.  (Where {somename} is the rabbitmq queue name to be deleted.)
  5. See the output from the "rabbitmqctl list_queues -p logcollection consumers name messages" command.
  6. ResponseOutput will show "Success".
  7. Restart rabbitmq service on Remote collector using the command below.
    service rabbitmq-server restart

This will automatically delete the unwanted queues and will start processing the messages to the local collector.