Introduction
This article provides information on the steps to follow in case of integration issues in the response panel.
Response Debug
In Logsign's event management panel or alarm action rules, you can configure an action model with many security products. However, sometimes integration problems occur, such as authorization, network, etc.
Let's explain this situation with some example scenarios:
- Your alarm is triggered, but IP blocking is not performed.
- Your alarm is triggered, but your user is not disabled.
- Your alarm is triggered, but you cannot use reputation platforms.
In such cases, you should first check the Logsign-integration-engine traffic logs, and ensure that Logsign sends the request packet to these products by viewing the traffic, and configure the necessary permissions if there are any blocking situations.
If you cannot view the traffic log, you can proceed as follows:
Many of Logsign's response products communicate with API protocol. Logsign-integration-engine service provides communication with the API.
You should check the Logsign-integration-engine service:
journalctl -u logsign-integration-engine -f
If it returns a result like the one shown in the image above, there is a network problem. In this case, you should check your integration settings.
You can check user authorization or network issues from the logsign-integration-engine service's output.
Let's explain the mail integration issues with an example:
If the mail notification is not provided despite the alarm being triggered, let's check our mail integration:
journalctl -u logsign-action-rule-worker* -f
You should check the logsign-action-rule-worker service with the command above.
You can control mail address errors or SMTP server access problems from these service logs.