Knowledge Doc: [ESM] How to move the past archived data files locally to the remote NFS drive

0 Likes

Summary
When NFS issue was occurred, Logger archive data files were created on local directory. This procedure is for how to move archive data files from local directories to remote NFS directories.

Products
ArcSight Enterprise Security Manager (ESM)

Environment
ArcSight Logger - All versions

Situation
When NFS issue was occurred, Logger archive data files were created on local /archive directory.
After resolving the NFS issue, /archive is mapped to the remote NFS server again.

Configuration
- Software logger on RHEL 7.9 with remote mapping to NFS server on /archive
- Configured logger daily archive settings and archive storage settings to use /archive

The past archived data files locally has to move to the remote NFS drive to free up local space without interrupting the entries in Event Archives.

Resolution
If NFS server issue occurred on Jul 18, previous day's (Jul 17) archive data files were archived under local /archive directory.

Check that /20220717/ directory were created under 648518346341351424 and 648518346341351425 directories in local /archive directory. These files are archived event data on Jul 17.
And check that /20220717/ directories are not created under NFS mount /archive directory.

If so, following procedure to resolve your issue.

1) Run configuration backups, just in case
For more detail, refer "Configuration Backup and Restore" section of Administrator's Guide.
2) Stop Logger services
3) Unmount /archive directory, if mounted
4) Backup files under 648518346341351424 and 648518346341351425 directories, just in case
5) Move 648518346341351424 and 648518346341351425 directories include under directory and files to temporary directory.
6) Mount NFS mount /archive
7) Move /20220717/ directories include under files, above step 5, from temporary directory to 648518346341351424 and 648518346341351425 directories under NFS mount /archive respectively
8) Start Logger services
9) Sanitize Jul 17 Event Archive, just in case.
Please refer "To sanitize an Event Archive:" section of Administrator's Guide for more detail.
10) You may delete backup files (step 4) and temporary directory if above procedure successful

Additional Information
If there are additional storage groups, Logger has each storage groups directory for archive da


Knowledge Base Article Link


URL Name
KM000009652

Labels:

Support Tips/Knowledge Docs
Related
Recommended