IBM Security QRadar SOAR

 View Only
  • 1.  Resilient API log ?

    Posted Tue July 05, 2022 12:07 PM
    Where do I find API call log on Resilient (Version: 42.2.41) ? I don't see it in client.log or ciruits logs 

    ------------------------------
    Irek Romaniuk
    ------------------------------


  • 2.  RE: Resilient API log ?

    Posted Tue July 05, 2022 05:37 PM
    Are you looking for Resilient/SOAR REST API calls from a particular integration?
    If you are running an integration server they should show up in the circuits log.
    If you are running App Host: go to the Apps tab in Administrator Settings, go to the App and hit Download Logs button.

    In the [resilient] section of the app.config set to debug mode to get more info:
    loglevel = DEBUG

    Hope that helps!

    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 3.  RE: Resilient API log ?

    Posted Wed July 06, 2022 02:31 AM
    Hi Irek,

    See https://www.ibm.com/support/pages/node/1846545 which provides the paths to a great many log files that the various applications write to. In your case you want /usr/share/co3/logs/client_access_log<YYYY-MM-DD>.log which is the webserver log. It contains all the API calls to SOAR and for each it writes using a pattern.

    The pattern we use is:

    pattern="%h %l %u %t &quot;%r&quot; %s %b %D %{count_db_queries}r %{query_execution_time}r [%{res_user_email}s] %I"

    Translates to:

    "remote host name" %l "Requested URL path" "Date & TIME" "GET /rest/orgs/201 HTTP/1.1" *"HTTP status code"* "Bytes sent" "Time taken to process the request, in millis'"* {count_db_queries} {query_execution_time} [email address] "current Request thread name"

    {count_db_queries} = number of database queries
    {query_execution_time} = value in total time executing the database queries

    The pattern may change in future versions.

    ------------------------------
    BEN WILLIAMS
    ------------------------------



  • 4.  RE: Resilient API log ?

    IBM Champion
    Posted Fri February 17, 2023 10:44 AM

    I'm getting the following response from the Resilient API in one of my integrations running in app host. I grabbed this from the app's logs:

    2023-02-17 04:17:00,679 CRITICAL [funct_gen_close_incident_tasks] 1092746:
    Traceback (most recent call last):
    File "/opt/app-root/lib64/python3.9/site-packages/resilient/co3.py", line 730, in get_put
    res = super(SimpleClient, self).get_put(uri, apply_func, co3_context_token, timeout)
    File "/opt/app-root/lib64/python3.9/site-packages/resilient/co3base.py", line 684, in get_put
    obj = self._get_put(uri, apply_func, co3_context_token=co3_context_token, timeout=timeout)
    File "/opt/app-root/lib64/python3.9/site-packages/resilient/co3base.py", line 664, in _get_put
    BasicHTTPException.raise_if_error(response)
    File "/opt/app-root/lib64/python3.9/site-packages/resilient/co3base.py", line 84, in raise_if_error
    raise BasicHTTPException(response)
    resilient.co3base.BasicHTTPException: 'resilient' API Request FAILED:
    Response Code: 500
    Reason: Unknown Reason. 
    
    <!DOCTYPE html>
    <html lang="en"><head>
    <meta charset="utf-8">
    <title>IBM Security QRadar SOAR</title>
    <meta name="description" content="">
    <meta name="author" content="">
    <link rel="stylesheet" href="/css/external.css">
    </head>
    
    <body>
    <div class="container ct">
    <h1 class="ct logo-text">IBM <strong>Security</strong> QRadar SOAR</h1>
    <div class="hero-unit ct">
    
    <p>An error occurred.</p>
    
    <p>
    For additional support, please contact your system administrator.
    </p>
    </div>
    </div>
    <footer>
    <p class="ct">&#169; Copyright IBM Corporation 2023</p>
    </footer>
    </body></html>

    I'm hoping to find a log file on the resilient side that will give me more details about the error that happened, but I have yet to find it. I have tried a majority of the logs mentioned in https://www.ibm.com/support/pages/node/1846545. I've skipped some of them that I don't think would be related - perhaps I'm skipping the one I need.

    I was able to find the request in the `/usr/share/co3/logs/client_access_log<YYYY-MM-DD>.log` file, but it doesn't tell me anything other than the path of the request and that the response was a 500:

    <IP_ADDR>- - [16/Feb/2023:22:17:00 -0600] "PUT /rest/orgs/201/incidents/53344 HTTP/1.1" 500 680 4957 - - [e9faad2b-5983-494a-84a3-05add1378d20] https-jsse-nio2-443-exec-24

    I'm hoping there's a log somewhere that would contain a stack trace or details of what error actually happened. If anyone knows of a log file that would contain that please let me know!

    Thanks.



    ------------------------------
    Liam Mahoney
    ------------------------------