Troubleshoot Engine Installation - Administrator Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.6
Creation date
2022-09-29
Last date published
2024-07-30
End_of_Life
EoL
Category
Administrator Guide
Abstract

Troubleshoot failed engine installation.

After installing the engine, check that the XSOAR engine is connected to the main server and that it is running.

  1. Go to Settings > Integrations > Engines and verify that the engine is connected.

    engines-troubleshooting-connected.png
  2. If the engine is not connected, run the following command on the engine server to check if the engine service is running.

    sudo systemctl status d1

  3. Access the d1 log on the engine server.

    sudo tail -f /var/log/demisto/d1.log

    • If the engine service wasn’t running, and there’s nothing relevant in the log, run journalctl on the engine server to understand why the installation failed.

    • If the engine service is running, review the errors to see if the engine is failing to connect or if there are other issues. (Ignore all errors related to \d2ws, since this is not the same as d1ws.) Most often, the server address is incorrect and you will see an error like this:

      error Cannot connect to [wss://<mainServerIP/HostName>/d1ws]: wss://<mainServerIP/HostName>/d1ws: dial tcp: lookup localhost: no such host. . Waiting 3 seconds. Will try until…

      In this case, navigate to /usr/local/demisto/d1.conf and change the EngineURLs parameter to an address the engine can reach (such as an server external address).

    Note

    You can ignore the following error: Cannot create folder ‘/var/lib/demisto’.

  4. To check the connectivity from the engine to the main server, see Troubleshoot Engine Connectivity.

  5. If the installation issue remains, open a support case with logs from the main server and engine.

    1. On the engine server, in /usr/local/demisto/d1.conf, set "LogLevel": "debug”.

    2. On the main server, navigate to Settings > About > Troubleshooting and verify that the Log Level is set to Debug.

    3. Restart the d1 service and let it run for a few minutes.

      sudo systemctl restart d1

    4. On the main server, go to Settings > About > Troubleshooting > Download logs to download a log bundle.

    5. Capture a journalctl:

      journalctl --since "1 day ago" > engineTroubleshootingJournalctl.log

    6. On the engine server, tar up the logs, conf, journalctl, and install log on the engine.

      tar -cvzf engineLogs.tar.gz /var/log/demisto /usr/local/demisto/d1.conf /tmp/demisto_install.log engineTroubleshootingJournalctl.log