Technical Tip: Troubleshooting of Playbooks

vraev · ‎06-05-2025

Description

This article describes how to troubleshoot the playbooks in FortiAnalyzer.

Scope

FortiAnalyzer v7.2+.

Solution

To create a playbook, follow this KB article: Technical Tip : How to create a custom playbook using an event handler and creating an incident unde....

The following commands will provide the path for troubleshooting the playbook issues.

To run any enabled playbook under the CLI:

diagnose test application fazwatchd 10 trigger-playbook <ADOM_NAME> id=<playbook_uuid>

To review the running task report:

diagnose test application fazwatchd 5 <ADOM_NAME> <playbook_uuid>

For additional debugging:

diagnose debug application fazwatchd 255

diagnose debug enable

After the tests:

diagnose debug disable

diagnose debug reset

To restart the service:

diagnose test application fazwatchd 99 <<< restart service

If the trigger is supposed to happen from an event handler, use the following command:

diagnose test application fazalertd 200 notify

For additional debugging on the event handlers, review the following article:

Troubleshooting Tip: How to troubleshoot for event handler related issues

Example:

FAZ8HG-1 # diagnose test application fazwatchd 5
please provide adom name

FAZ8HG-1 # diagnose test application fazwatchd 5 root
please provide playbook uuid from below:
09f72aeb-5175-4c1b-8505-2d3d39bccd03 (Bandwidth Exceeded Run Report)
8556e9b5-c067-404c-8b6b-1f5c8bba0656 (Indicator Enrichment)
1126c09a-9398-49e8-a843-644c8637f168 (creating_report)

FAZ8HG-1 # diagnose test application fazwatchd 5 root 1126c09a-9398-49e8-a843-644c8637f168
please provide job id from below:
runid_trig__2025-05-29T16:19:35.605382+02
runid_trig__2025-05-29T16:13:42.481672+02
runid_trig__2025-05-29T16:23:28.0+02:00

FAZ8HG-1 # diagnose test application fazwatchd 5 root 1126c09a-9398-49e8-a843-644c8637f168
<Integer> Var3.

FAZ8HG-1 # diagnose test application fazwatchd 5 root 1126c09a-9398-49e8-a843-644c8637f168 runid_trig__2025-05-29T16:19:35.605382+02
please provide task id from below:
task_soar_license
generate_incident_report

FAZ8HG-1 # diagnose test application fazwatchd 5 root 1126c09a-9398-49e8-a843-644c8637f168 runid_trig__2025-05-29T16:19:35.605382+02 task_soar_license
[2025-05-29T16:19:39.479+0200] {task_command.py:426} INFO - Running <TaskInstance: 3_1126c09a-9398-49e8-a843-644c8637f168.task_soar_license runid_trig__2025-05-29T16:19:35.605382+02 [running]> on host FAZ8HG-1

FAZ8HG-1 # diagnose test application fazwatchd 5 root 1126c09a-9398-49e8-a843-644c8637f168 runid_trig__2025-05-29T16:19:35.605382+02 generate_incident_report
[2025-05-29T16:19:44.527+0200] {task_command.py:426} INFO - Running <TaskInstance: 3_1126c09a-9398-49e8-a843-644c8637f168.generate_incident_report runid_trig__2025-05-29T16:19:35.605382+02 [running]> on host FAZ8HG-1
[2025-05-29T16:19:44.634+0200] {taskinstance.py:2905} ERROR - Task failed with exception
soar_exception.SoarException: Invalid params: Error in parsing schedule params: parse object 'time-period' error
[2025-05-29T16:19:44.668+0200] {standard_task_runner.py:110} ERROR - Failed to execute job 8033 for task generate_incident_report (Invalid params: Error in parsing schedule params: parse object 'time-period' error; 21460)

From the GUI side:

Technical Tip: Troubleshooting of Playbooks

Description

Scope

Solution

You are leaving our website