Monitoring and Maintenance
Chronicle SOAR Services To Monitor
Siemplify.Connectors.service
– runs connectors inside Siemplify
Siemplify.Server.ETL.DataProcessingEngine.service
– responsible for the ingestion of the JSON cases that contains the
alert raw data event
Siemplify.Server.Indexer.service
– indexes the data in Siemplify platform
Siemplify.Server.PlaybookActions.service
– Responsible for playbooks running (Automation)
Siemplify.Server.PythonExecution.service
– the python service is responsible for the python code. In other words,
for all our actions/jobs/connectors/ written in Python, the service will make
sure python is running correctly.
Siemplify.Server.service
– Responsible for the whole platform server components, for example,
login, settings and etc.
Additional Services to Monitor
PostgreSQL – is the database
service. Typically named ‘postgresql-10.service’.
Nginx
– responsible for the web application interface.
Postfix
– responsible for sending email.
Check status of each service
systemctl status <service_name>
For example:
systemctl status Siemplify.Connectors.service
Obtain additional system logs
journalctl -u <service_name> -r
For example: journalctl -u Siemplify.Connectors.service -r
The following commands are available for use:
‘-r’ to view
the logs in reverse chronological order to see the newest at the top.
‘-u’
to show just the entries from a specific service.
‘-n 50’ to
view just 50 entries
‘-f’ to continue streaming the logs in
real-time.
‘—utc’ to view in UTC time format.
‘q’ to exit.
To write the logs output to a file – use the following command:journalctl -u Siemplify.Server.service -r > /tmp/service.txt
Note that BEFORE running the commands to use the logs, you need to set the host server timezone to UTC. After doing this, the logs will also appear with the UTC timestamp (which may be different from the timezone of the local security analyst).
Logs
Webserver logs can be found in /var/log/nginx/. Specifically the
‘access’ and ‘error’ logs.
DB logs are in
/var/lib/pgsql/10/data/log/
Databases are at /var/lib/pgsql/10/data
More path Logs:
Connector logs can be found at:
/opt/siemplify/siemplify_server/Scripting/SiemplifyConnectorExecution/
Job Logs can be found at:
/opt/siemplify/siemplify_server/Scripting/SiemplifyJob/
Structure of Siemplify Logs is as follows
Postgres Log configuration can be found at:
/var/lib/pgsql/10/data/log
For more information on postgres logs, click here.
Databases
Tips:
- Chronicle SOAR utilizes Postgres which listens on port 5432
- pgAdmin4 can be downloaded as client to connect to to the DB
- If you modify a table in the pgAdmin UI hit F6 to save the change
- From a terminal ‘psql’ can also be used to connect to the DB
Siemplify_agents_db – Contains information about configured Publishers
and Remote Agents.
Siemplify_command_center_db – Contains
information for Command Center incidents.
Siemplify_configuration_db
– Contains platform configuration parameters.
Siemplify_dashboards_db
– Contains Dashboard data model and widget definitions.
Siemplify_entityexplorer_db
– Contains custom entity properties?
Siemplify_homepage_db –
Contains Analyst Homepage entries (contacts, notes, links, etc.).
Siemplify_integrations_db
– Contains action, connector, and integration configurations.
Siemplify_jobs_db
– Contains configured Jobs definitions, Job parameters, Job history,
etc.
Siemplify_layout_view_db – Contains layout view element
definitions.
Siemplify_metadata_db – Contains many of the
configuration parameters available under Settings
Siemplify_monitoring_db
– Contains audit data, task history, playbook execution summary, timing
statistics.
Siemplify_notifications_db – Contains homepage
announcements, User & System notifications.
Siemplify_ontology_db
– Contains visual family definitions, field mappings, and Ontology data
models.
Siemplify_orchestration_db – Contains playbook definitions
and parameters.
Siemplify_queues_db – Contains case ingestion
queue, Indexer queue, and Workflow queue.
Siemplify_report_system_db
– Contains report templates, report schedules, and report logs.
Siemplify_search_everything_db
– Contains tables for searching and Tableau.
Siemplify_simulation_db
– Contains simulated alert templates and test alerts created in the
platform.
Siemplify_system_db – Contains alerts and cases ingested
into the platform.
Siemplify_usecases_db – Includes use cases
installed from the marketplace.
Jobs
Chronicle SOAR uses Jobs internally to execute monitoring tasks at defined intervals (essentially cron jobs). These can be accessed from the main screen by selecting the cog in the top right and selecting Jobs. Additional jobs can be written and will be scheduled for execution by Chronicle SOAR at any desired interval.
Path Exclusions
The following paths need to be excluded during scanning
/opt/siemplify/
/var/lib/pgsql/10/data/