Hi Pablo,
First identify the container running the Resilient plugin and monitor the logs:
docker ps
docker exec -it <container-id> bash
tail -f /store/log/circuits.log
In a separate terminal, navigate the persistent storage directory and edit loglevel parameter = DEBUG:
cd /store/docker/volumes/qapp-<app-id>/
vi app.config
The plugin should automatically restart when it detects a configuration change, giving the extra detail required. If the circuits.log is continually being overwritten, you can go back to your docker terminal and run the following additional steps can be taken:
- Confirm you are in the right application by running
ls /store
and confirming that either of incident.json, resilient.db, app.config
is present
- Run
ps -ef
. Record PID of python run_circuits.py
and /bin/bash /src_deps/init/circuits.sh
- Kill those processes with
kill -9 <PID of circuits.sh> <PID of run_circuits.py>
. The order is important, first use kill with PID of /bin/bash /src_deps/init/circuits.sh
- Make sure that
loglevel=DEBUG
in /store/app.config
- Run
env APP_CONFIG_FILE=/store/app.config python2.7 run_circuits.py > /store/log/circuits.log
- Wait for it to fail and exit
- Back up
circuits.log
by running mv /store/log/circuits.log /store/log/circuits.log.bac
. This backup file should have the latest error.
You can restart the plugin using the Interactive REST api, setting STATUS to RUNNING at
POST - /gui_app_framework/applications/{application_id}
If the level of detail is still not enough or the error persists, it may be necessary to troubleshoot the QRadar instance to ensure it is in a fully functional state. The issue above seems related to backend certificate issues with the instance, rather than the plugin. Troubleshooting Qradar may require other support that can be found at:
https://w3.ibm.com/w3publisher/ctp-resources-qradar/customer-engagement
Thanks for reaching out, I hope this can be of assistance.
Kind regards,
------------------------------
Sean OGorman
------------------------------
Original Message:
Sent: Mon June 08, 2020 01:16 PM
From: PABLO ROBERTO GARCIA
Subject: Qradar + Resilient integration
Hello,
I need to know if there is a troubleshooting guide to review the issues between Qradar and Resilient integration.
I have just downloaded the latest version of Qradar App for resilient, the App is already installed on Qradar version (7.3.2) and I received the following error message. Is there any troubleshooting guide to put the logs in debug to review further issues?
("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)
Regards,
------------------------------
PABLO ROBERTO GARCIA
------------------------------