Technical Tip: Troubleshooting of Playbooks
Description
This article describes how to troubleshoot the playbooks in FortiAnalyzer.
Scope
FortiAnalyzer v7.2+.
Solution
To create a playbook, follow this KB article: Technical Tip: How to create a custom playbook using an event handler and creating an incident under FortiAnalyzer.
The following commands will provide the path for troubleshooting the playbook issues.
To run any enabled playbook under the CLI:
diagnose test application fazwatchd 10 trigger-playbook <ADOM_NAME> id=<playbook_uuid>
To review the running task report:
diagnose test application fazwatchd 5 <ADOM_NAME> <playbook_uuid>
For additional debugging:
diagnose debug application fazwatchd 255
diagnose debug enable
After the tests:
diagnose debug disable
diagnose debug reset
To restart the service:
diagnose test application fazwatchd 99 <----- Restart service.
If the trigger is supposed to happen from an event handler, use the following command:
diagnose test application fazalertd 200 notify
For additional debugging on the event handlers, review the following article:
Troubleshooting Tip: How to troubleshoot for event handler related issues.
Example:
FAZ8HG-1 # diagnose test application fazwatchd 5 please provide adom name FAZ8HG-1 # diagnose test application fazwatchd 5 root please provide playbook uuid from below: 09f72aeb-5175-4c1b-8505-2d3d39bccd03 (Bandwidth Exceeded Run Report) 8556e9b5-c067-404c-8b6b-1f5c8bba0656 (Indicator Enrichment) 1126c09a-9398-49e8-a843-644c8637f168 (creating_report) FAZ8HG-1 # diagnose test application fazwatchd 5 root 1126c09a-9398-49e8-a843-644c8637f168 please provide job id from below: runid_trig__2025-05-29T16:19:35.605382+02 runid_trig__2025-05-29T16:13:42.481672+02 runid_trig__2025-05-29T16:23:28.0+02:00 FAZ8HG-1 # diagnose test application fazwatchd 5 root 1126c09a-9398-49e8-a843-644c8637f168 <Integer> Var3. FAZ8HG-1 # diagnose test application fazwatchd 5 root 1126c09a-9398-49e8-a843-644c8637f168 runid_trig__2025-05-29T16:19:35.605382+02 please provide task id from below: task_soar_license generate_incident_report FAZ8HG-1 # diagnose test application fazwatchd 5 root 1126c09a-9398-49e8-a843-644c8637f168 runid_trig__2025-05-29T16:19:35.605382+02 task_soar_license [2025-05-29T16:19:39.479+0200] {task_command.py:426} INFO - Running <TaskInstance: 3_1126c09a-9398-49e8-a843-644c8637f168.task_soar_license runid_trig__2025-05-29T16:19:35.605382+02 [running]> on host FAZ8HG-1 FAZ8HG-1 # diagnose test application fazwatchd 5 root 1126c09a-9398-49e8-a843-644c8637f168 runid_trig__2025-05-29T16:19:35.605382+02 generate_incident_report [2025-05-29T16:19:44.527+0200] {task_command.py:426} INFO - Running <TaskInstance: 3_1126c09a-9398-49e8-a843-644c8637f168.generate_incident_report runid_trig__2025-05-29T16:19:35.605382+02 [running]> on host FAZ8HG-1 [2025-05-29T16:19:44.634+0200] {taskinstance.py:2905} ERROR - Task failed with exception soar_exception.SoarException: Invalid params: Error in parsing schedule params: parse object 'time-period' error [2025-05-29T16:19:44.668+0200] {standard_task_runner.py:110} ERROR - Failed to execute job 8033 for task generate_incident_report (Invalid params: Error in parsing schedule params: parse object 'time-period' error; 21460)
From the GUI side:
Notice:
If the 'airflow schedule+' process is utilizing a significant amount of CPU, it could indicate:
- Active Playbooks: There are currently active playbooks running that require substantial processing power.
- Complex Workflows: The playbooks being executed may involve complex workflows or large datasets.
- Potential Issues: There might be an issue with the playbook configuration or an excessive number of tasks being scheduled simultaneously.
Some points to consider:
- Review Playbooks: Check the playbooks that are currently running to see if they are expected to consume high CPU resources.
- Optimize Playbooks: Consider optimizing the playbooks to reduce their complexity or the amount of data they process.
- Disable Unnecessary Playbooks: If certain playbooks are not needed, consider disabling them to free up resources.
Related article: