The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Configure the logging levels for the action daemon
You can adjust the logging level for the action daemon running in to help debug or troubleshoot issues.
daemons
The following daemons in work to control collection and scheduling tasks in the background independently from the web interface:
| Daemon | Description |
|---|---|
| Action daemon | Responsible for launching actions by putting into effect the appropriate app on the specified asset. Also responsible for the debug log that says what version of Python is being used. The debug log for Python 3 shows Running executable: spawn3.
The following key actions are logged by this daemon:
|
| Decide daemon | Responsible for operating on incoming data.
The following key actions are logged by this daemon:
|
| Ingest daemon | Responsible for ingesting data into the product.
The following key actions are logged by this daemon:
|
| Proxy daemon | Responsible for communicating with Splunk mobile apps to register devices and send notifications to mobile users. This daemon is available only when the mobile app feature is enabled. |
| Watchdog daemon | Responsible for tracking the status of other daemons and adding or removing them in the system startup list.
The following key actions are logged by the watchdog daemon:
|
| Workflow daemon | Responsible for managing approval requests to action reviewers and asset owners.
The following key actions are logged by the workflow daemon:
|
Configure the logging level for the action daemon
Adjust the logging levels as needed to assist Support with troubleshooting any issues you might experience.
- From the main menu, select Administration.
- Select System Health > Debugging.
- Select a logging level for the action daemon. The log levels determine the message types that are written to each daemon's corresponding log file. The Debug level is the most verbose level of logging and is useful for troubleshooting. Only set the Action Daemon Log Level to Debug if you are actively troubleshooting an issue.
- Click Save Changes.
Example log structure
See the following sample of a common log format:
Oct 5 22:55:18 localhost DECIDED[7177]: TID:7422 : WARNING: DECIDED : rules_engine.cpp : 1503 : DECIDED_CMD_PROCESS_CONTAINERS : All rules FAILED t
This table summarizes the structure of the example log message.
| Log message content | Description |
|---|---|
| Oct 5 22:55:18 | Timestamp of when the log message was generated. |
| localhost | Name of the host where the log message was generated. |
| DECIDED[7177]: | Name of the component and process ID (PID) generating the message. |
| TID:7422: | Threat ID (TID) of the message. |
| WARNING: | Log level or class of the message. |
| DECIDED: | Functional component that generated the log message. |
| rules_engine.cpp: | Source file applicable to the log message. |
| 1503: | Line number in the source file that caused this log message to be generated. |
| DECIDED_CMD_PROCESS_CONTAINERS: All rules FAILED to process the container: 2964. Error: Playbook 'local/test11 (version: 1, id: 711)' cannot be executed since it is: NOT ACTIVE, ENABLED and VALID | The log message. |
Last modified on 06 November, 2024
| View ingested container statistics using Ingestion Status | Create and download or upload a diagnostic file |
This documentation applies to the following versions of Splunk® SOAR (Cloud): current
Download manual
Feedback submitted, thanks!