Troubleshooting
Problem
Collect troubleshooting data for problems with IBM Security QRadar SOAR workflows. Gathering this information before contacting IBM support will help familiarize you with the troubleshooting process and save you time.
Resolving The Problem
Workflow problems
For problems with workflows, gather the following information:
- Describe the problem providing screen shots and other contextual information so the problem can be accurately relayed to IBM Support
- Enable functional logging by going to System Settings -> System Diagnostics -> Functional logging
- Enable and choose Workflow from the list of functional areas
- Does the workflow invoke an application or function?
- Enable debug logging for the application
- If you use an App Host go to App -> Details -> Configuration -> app.config
- Edit the app.config adding loglevel = DEBUG under the [resilient] heading
- Click on Save and Push Changes
- Allow the app to restart
- If you use an integration server locate the app.config
- If you are having difficulty finding the app.config see MustGather: Collecting logs for IBM Resilient Circuits for hints
- Edit the app.config adding loglevel = DEBUG under the [resilient] heading
- Restart Resilient Circuits
- If you use an App Host go to App -> Details -> Configuration -> app.config
- Enable debug logging for the application
[resilient]
loglevel = DEBUG
- Reproduce the problem
- What date and time did the problem occur or did you reproduce the problem?
- What time zone is the reported time?
- Provide the incident or case ID
- What is the name and API name of the workflow?
- Take a screen shot of the Workflow Status screen
- Take a screen shot of the actions status ensuring all options are checked
- Export the configuration
- Administrator Settings -> Organization -> Migrate Settings -> Export -> check all values -> Export
- Upload the .resz file to the case
- Run sudo resPackageLogs -l 3 (on-premises only)
- Does the workflow invoke an application or function?
- If so IBM Support needs the application logs
- See MustGather: Information to Collect when Troubleshooting Issues with IBM Security SOAR AppHost which includes instructions that will collect application logs and App Host logs
- See MustGather: Collecting logs for IBM Resilient Circuits which includes instructions as to how to collect logs if an integration server is used
- Run sudo -u postgres -i psql co3 -c "select container, count(*), sum(length(msg)) as bytes, max(length(msg)) as bytes from monapp.activemq_msgs group by container order by container" on the SOAR server CLI (on-premises only)
- If so IBM Support needs the application logs
sudo -u postgres -i psql co3 -c "select container, count(*), sum(length(msg)) as bytes, max(length(msg)) as bytes from monapp.activemq_msgs group by container order by container" on the SOAR server CLI
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z000000cw4bAAA","label":"Resilient Core"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
28 June 2024
UID
ibm17149845