IBM Security QRadar SOAR

 View Only
  • 1.  Query for Number of Active Scripts on IBM SOAR Server

    IBM Champion
    Posted Thu January 26, 2023 11:01 AM
    Hello,

    Since upgrading to 47.1.36 we're experiencing lots of script timeout errors. These are happening on scripts that used to complete just fine. Previously we didn't get too many of these errors, certainly not at the rate we're currently getting them.

    I came across this community post https://community.ibm.com/community/user/security/discussion/comresilientscriptingexceptiontimeoutscriptingexception-script-timeout-error that mentions changing the value for `resPython3MaxProcesses` in file `/usr/share/co3/conf/scripting-server.properties`. I'm wondering if there is a way to query for the current active number of scripts running on the system? I'd like to validate that this seems to be the issue before changing this property value.

    Also I have some confusion after reading that post. It says that if 20 scripts are running any additional scripts get queued up. Does the 5 second timeout counter start counting while the script is queued up? Or only once the script starts execution? I'm not sure why these scripts would start taking longer than 5 seconds after the upgrade.

    Thanks!


    ------------------------------
    Liam Mahoney
    ------------------------------


  • 2.  RE: Query for Number of Active Scripts on IBM SOAR Server

    IBM Champion
    Posted Fri January 27, 2023 05:48 PM

    Still getting script timeouts pretty frequently. Happening in workflows and playbooks. Seems to commonly be in script condition points.

    For example the error:


    Where the two script conditions on the condition point are

    'User Search Error'

    result = False
    if (playbook.functions.results.user_search.get("success") == False):
      result = True


    'Unexpected # Expel Users Found'

    result = False
    if (len(playbook.functions.results.user_search.get("content").get("data")) != 1):
      result = True
    

    The same playbook works some of the time and doesn't experience any script timeouts.

    Anything jumping out to anyone? This is getting pretty bad, incidents are becoming unworkable for our incident response team and they're starting to get pretty frustrated by it.

    We ended up updating resPython3MaxProcesses to 200 in /usr/share/co3/conf/scripting-server.properties and thought it had helped but started getting script timeouts again this afternoon.

    ------------------------------
    Liam Mahoney
    ------------------------------



  • 3.  RE: Query for Number of Active Scripts on IBM SOAR Server

    Posted Mon January 30, 2023 03:52 PM
    Hi Liam,
    You should open a support ticket for this problem. There are several causes. We need to take a look at the logs to determine the cause so please run "resPackageLogs -l 3" and attach it to the ticket. Thank you.

    ------------------------------
    Eric Yee
    IBM QRadar SOAR
    Software Development Manager (Level 3 Support, Performance)
    ------------------------------