How to fetch logs for Cortex XSOAR
Cortex XSOAR keeps a detailed list of logs that are automatically generated when activities take place in the environment, such as when issues arise or for verifying system information.
Alexander Nachaj
Cortex XSOAR keeps a detailed list of logs that are automatically generated when activities take place in the environment, such as when issues arise or for verifying system information. These logs can be used to help your organisation troubleshoot any issues or oddities that might occur within your Cortex XSOAR application.
By default, logs are stored in the following location:
/var/log/demisto/
There are four kinds of logs that are generated here automatically:
| Log | Description |
|---|---|
| d1 | These logs are generated when the Cortex XSOAR Engine is running and contain information to debug engine related issues. In case the Engine isn't running properly, these logs will issue an alert. |
| d2 | These logs are generated when the Cortex XSOAR Agent is running and contain information to debug Agent related issues. In case the agent isn't installed properly, these logs will issue an alert. |
| elastic | These logs display all activities associated with the Elasticsearch and contain information to troubleshoot this feature. |
| server | These logs are generated by the server and detail activities performed by it. Issues with the server can be located here and sometimes in the UI as well. |
Note: To locate issues efficiently, you can filter with the “error” field.
Log Bundles
Logs can also be batched into bundles.
To retrieve logs, multiple files can be bundled together into a single zip file which can then be forwarded to the right support personnel to debug and troubleshoot. Any time you create a bundle, these will also appear in the same location where your logs are stored (/var/log/demisto/).
To go about creating your log bundle, follow these steps:
First, head to Settings > About > Troubleshooting.
There, click on Download logs.
When you do so, your bundle will contain the follow types of logs:
| Log | Description |
|---|---|
| bolt_stats | These logs contain information about the Bolt disk and index usage. |
| conf | These logs display the generic server configurations. |
| confdb | These logs display the current configuration of the database. |
| confserver | These logs display the configuration for the server. |
| content | These logs display all activities for the integrations, automations, and incidents. These will also be displayed in the server log. |
| env | These logs display the build number and version for the Cortex XSOAR app, along with the server and web-client version. |
| filesystem | These logs display how much free disk space remains on the system, along with the folders that Cortex XSOAR uses. If there is insufficient disk space, this can also be displayed. |
| go_stats | These logs display information that has been retrieved from the server environment, such as how many goroutines are used along with their location. |
| installedpack | These logs display the packs installed from the Marketplace. |
| license_data | These logs list all licensing information, including validation date, number of permitted users in the system, number of users currently in the system, etc. |
| ml | These logs list the programs used in the network along with their record of users, their access attempts, and other activities. |
| os | These logs display the usage of general system resources at the time of the log creation, such as kernel usage, memory usage, etc. |
| packsubscriptiosinfo | These logs display the marketplace subscription metadata, such as the status of each paid pad. |
| telemetry | These logs list the telemetry that Cortex XSOAR employs to collect usage data is enabled or disabled. |
| version_control | These logs display information about the version of Git, its location, commands supported by the installation, and more. |
| web-app | These logs display the currently active integrations and the data types in the system. |
| workers | These logs list the number of configured workers, the number that are busy, and those available. |
And there you have it. By following the steps listed above, you should have no issues accessing your XSOAR logs.
Palo Alto Networks maintains rich and updated documentation on their TechDocs repository. If you are looking more information on XSOAR Logs, please review Logs Overview and Create a Bundle Log.
Metron Labs is a Palo Alto Networks XSOAR Development partner. Metron builds certified XSOAR application/integration, publishes it in Cortex Marketplace, and maintains the integration for upgrades as well. In addition, Metron designs custom XSOAR playbooks.
If you are considering a XSOAR Development Partner that focuses on building a certified XSOAR application and maintaining your XSOAR playbooks, please send a note to connect@metronlabs.com
