Prerequisites
- RabbitMQ 3.12+ (3.13 recommended)
- The
rabbitmq_managementplugin must be enabled on the broker: - Network access from the OpenSRE environment to the Management API port (default 15672)
- A user with at least the
monitoringtag (read-only access to all management endpoints)
Setup
Option 1: Interactive CLI
Option 2: Environment variables
Add to your.env:
Option 3: Persistent store
Credentials are automatically persisted to~/.opensre/integrations.json with 0o600 permissions:
Recommended user setup
Create a dedicated monitoring user so OpenSRE has read-only access:monitoring tag grants read access to all management endpoints without the ability to publish, consume, create, or delete any resources. The permissions line grants no configure or write access (^$ matches nothing), and read access to all resources (.*).
TLS configuration
SSL is disabled by default because most RabbitMQ Management API deployments use HTTP internally. For production environments exposed over the network, enable HTTPS:RABBITMQ_VERIFY_SSL=false only when connecting to brokers with self-signed certificates in trusted networks.
Investigation tools
When OpenSRE investigates a RabbitMQ-related alert, five diagnostic tools are available:Queue backlog
Lists queues ranked by pending message count (ready + unacknowledged). Returns queue name, vhost, state, message counts, consumer count, consumer utilisation, memory usage, and publish/deliver/ack rates. Results are scoped to the configured vhost.Consumer health
Lists active consumers with per-queue diagnostics: consumer tag, ack mode, prefetch count, active state, and the channel/connection each consumer is bound to. Helps identify stalled or missing consumers behind a growing backlog.Broker overview
Returns a cluster-wide summary: RabbitMQ version, cluster name, total message counts, publish/deliver rates, queue/consumer/connection/channel totals, plus alarm health-check status (memory, disk, and file-descriptor alarms).Node health
Returns per-node resource utilisation: memory used vs. limit (with alarm flag), disk free vs. limit (with alarm flag), file descriptors, sockets, Erlang process usage, and cluster partition state. Essential for diagnosing backpressure, partitions, or node-level resource exhaustion.Connection stats
Lists active connections sorted by receive byte rate. Reports user, vhost, protocol, channel count, peer host/port, TLS status, and recv/send byte rates. Helps spot connection exhaustion, slow consumers, or noisy publishers. Results are filtered to the configured vhost.Verify
Troubleshooting
Security best practices
- Use a dedicated
monitoringuser — never the defaultguestaccount or anadministrator-tagged user. - Always enable TLS when the Management API is exposed over the network.
- Keep passwords out of source control — use
.envor the persistent store. - Rotate credentials periodically.
- The Management API is read-only from OpenSRE’s perspective — no messages are published, consumed, or deleted.