Troubleshooting
Problem
Collect troubleshooting data for problems with IBM Security QRadar SOAR playbooks. Gathering this information before contacting IBM support will help familiarize you with the troubleshooting process and save you time.
Resolving The Problem
Playbook problems
For problems with playbooks, gather the following information:
- Describe the problem providing screen shots and other contextual information so the problem can be accurately relayed to IBM Support
- Enable functional logging by going to System Settings -> System Diagnostics -> Functional logging
- Enable and choose Playbooks from the list of functional areas
- Does the workflow invoke an application or function?
- Enable debug logging for the application
- If you use an App Host go to App -> Details -> Configuration -> app.config
- Edit the app.config adding loglevel = DEBUG under the [resilient] heading
- Click on Save and Push Changes
- Allow the app to restart
- If you use an integration server locate the app.config
- If you are having difficulty finding the app.config see MustGather: Collecting logs for IBM Resilient Circuits for hints
- Edit the app.config adding loglevel = DEBUG under the [resilient] heading
- Restart Resilient Circuits
- If you use an App Host go to App -> Details -> Configuration -> app.config
- Enable debug logging for the application
[resilient]
loglevel = DEBUG
- Reproduce the problem
- What date and time did the problem occur or did you reproduce the problem?
- What time zone is the reported time?
- Provide the incident or case ID
- What is the name of the playbook?
- Take a screen shot of the Playbook Progress screen
- In the affected incident click on Playbook Progress
- Expand the section by clicking on the twistie and take a screen grab
- Click on "View full playbook activities" and get screen grabs of all pages scrolling from to the bottom of the page
- Export the playbook
- Run sudo resPackageLogs -l 3 (on-premises only)
- Does the workflow invoke an application or function?
- If so IBM Support needs the application logs
- See MustGather: Information to Collect when Troubleshooting Issues with IBM Security SOAR AppHost which includes instructions that will collect application logs and App Host logs
- See MustGather: Collecting logs for IBM Resilient Circuits which includes instructions as to how to collect logs if an integration server is used
- Run sudo -u postgres -i psql co3 -c "select container, count(*), sum(length(msg)) as bytes, max(length(msg)) as bytes from monapp.activemq_msgs group by container order by container" on the SOAR server CLI (on-premises only)
- If so IBM Support needs the application logs
sudo -u postgres -i psql co3 -c "select container, count(*), sum(length(msg)) as bytes, max(length(msg)) as bytes from monapp.activemq_msgs group by container order by container" on the SOAR server CLI
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z000000cw4bAAA","label":"Resilient Core"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
28 June 2024
UID
ibm17145826