Troubleshooting
Problem
Use this document to collect logs for IBM Resilient Circuits.
Resolving The Problem
IBM Resilient Circuits' main log file is the app.log. The name of the log file can be different depending on the value set in the app.config.
Where is the app.log?
The location of the app.log depends on the configuration in the app.config. The following configuration shows that app.log is located in /home/integration/.resilient/ directory.
logdir=/home/integration/.resilient/
logfile=app.log
loglevel=INFO
logfile=app.log
loglevel=INFO
Where is the app.config?
If IBM Resilient Circuits is set up to restart by configuring systemd, then the location of the app.config can be found in /etc/systemd/system/resilient_circuits.service.
[Service]
Type=simple
User=integration
WorkingDirectory=/home/integration
ExecStart=/usr/local/bin/resilient-circuits run
Restart=always
TimeoutSec=10
Environment=APP_CONFIG_FILE=/home/integration/.resilient/app.config
Environment=APP_LOCK_FILE=/home/integration/.resilient/resilient_circuits.lock
Type=simple
User=integration
WorkingDirectory=/home/integration
ExecStart=/usr/local/bin/resilient-circuits run
Restart=always
TimeoutSec=10
Environment=APP_CONFIG_FILE=/home/integration/.resilient/app.config
Environment=APP_LOCK_FILE=/home/integration/.resilient/resilient_circuits.lock
If IBM Resilient Circuits is not controlled by systemd, then "APP_CONFIG_FILE" can be set by using the export command or added to bash profiles for the user that IBM Resilient Circuits runs as.
Enabling DEBUG
IBM Support support requires debug to be enabled so that verbose output is written to the app.log. Debug provides more insight into the error and what IBM Resilient Circuits is doing at the time.
logdir=/home/integration/.resilient/
logfile=app.log
loglevel=DEBUG
logfile=app.log
loglevel=DEBUG
To enable debug update app.config setting loglevel=DEBUG and then restart IBM Resilient Circuits. If systemd is used, run sudo systemctl restart resilient_circuits.
Gathering logs
After enabling debug, and IBM Resilient Circuits is restarted reproduce the problem and gather the app.log.
See Collecting logs for IBM Security SOAR to gather IBM Security SOAR logs.
Systemd
If the problem relates to systemd or the service is starting and stopping get information from journalctl
sudo journalctl -xe >/tmp/journalctl.txt
Information to send to IBM Support:
- App.log
- IBM Security SOAR logs
- Screen capture of error messages (if applicable)
- Screen captures of Action Status and Workflow Status of an incident (if applicable)
- App.config might be requested by IBM Support
- Output of pip freeze (use sudo if installed with sudo)
- Output of resilient-circuits list
- Output of python -v
- The log file /var/log/messages
- Contextual information that might assist such as the last change made.
- Journalctl.txt if applicable.
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"Component":"IBM Resilient-Circuits","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
10 June 2022
UID
ibm11846611