Troubleshoot Engine Installation - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2023-11-02
Last date published
2024-04-11
Category
Administrator Guide
Solution
Cloud
Abstract

Troubleshoot a failed engine installation.

Note

If the installer fails to start due to a permissions issue, even if running as root, add one of the following two arguments when running the installer:

  • --target <path> - Extracts the installer files into the specified custom path.

  • --keep - Extracts the installer files into the current working directory (without cleaning at the end).

If using installer options such as -- -tools=false, the option should come after the --target or --keep arguments. For example:

sudo ./d1-installer.sh --target /some/temp/dir -- -tools=false

After installing the engine, check that the engine is connected to the Cortex XSOAR tenant and that it is running.

  1. Go to Settings & InfoSettingsIntegrationsEngines and verify that the engine is connected.

  2. If the engine is not connected, run the following command on the engine server to check if the engine service is running.

    sudo systemctl status d1

  3. Access the d1 log on the engine server.

    sudo tail -f /var/log/demisto/d1.log

    • If the engine service wasn’t running, and there’s nothing relevant in the log, run journalctl on the engine server to understand why the installation failed.

    • If the engine service is running, review the errors to see if the engine is failing to connect or if there are other issues. (Ignore all errors related to \d2ws, since this is not the same as d1ws.) Most often, the server address is incorrect and you will see an error like this:

      error Cannot connect to [wss://<mainServerIP/HostName>/d1ws]: wss://<mainServerIP/HostName>/d1ws: dial tcp: lookup localhost: no such host. . Waiting 3 seconds. Will try until…

      In this case, navigate to /usr/local/demisto/d1.conf and change the EngineURLs parameter to an address the engine can reach. Check the addresses at the beginning of the upgrade_engine.sh file and update them to be the same as in the conf file. The addresses should be a comma-separated list.

      Note

      You can ignore the following error: Cannot create folder '/var/lib/demisto'

      The configurations that might affect the upgrade_engine.sh script are the following variables located at the beginning of the script:

      • SERVER_URLS

      • TRUST_ANY_CERT

      If you make a change to the baseURLs configuration, you must apply the change in /usr/local/demisto/d1.conf AND in /usr/local/demisto/upgrade_engine.sh under the SERVER_URLS var.

      If you make a change in the engine.connection.trust_any_certificate configuration, you must apply the change in /usr/local/demisto/upgrade_engine.sh as follows:

      • If the engine.connection.trust_any_certificate configuration was set to true (trust any certificate), set the TRUST_ANY_CERT variable to -k.

      • If the engine.connection.trust_any_certificate configuration was set to false, the TRUST_ANY_CERT variable should be blank (““).

  4. To check the connectivity from the engine to the Cortex XSOAR tenant, see Troubleshoot Engine Connectivity.

  5. If the installation issue remains, open a support case with logs from the engine.

    1. On the engine server, in /usr/local/demisto/d1.conf, set "LogLevel": "debug”.

    2. Restart the d1 service and let it run for a few minutes.

      sudo systemctl restart d1

    3. Capture a journalctl:

      journalctl --since "1 day ago" > engineTroubleshootingJournalctl.log

    4. On the engine server, tar up the log, conf, journalctl, and install log on the engine.

      tar -cvzf engineLogs.tar.gz /var/log/demisto /usr/local/demisto/d1.conf /tmp/demisto_install.log engineTroubleshootingJournalctl.log