Cybersecurity
DevOps Cloud (ADM)
IT Operations Cloud
Summary
When NFS issue was occurred, Logger archive data files were created on local directory. This procedure is for how to move archive data files from local directories to remote NFS directories.
Products
ArcSight Enterprise Security Manager (ESM)
Environment
ArcSight Logger - All versions
Situation
When NFS issue was occurred, Logger archive data files were created on local /archive directory.
After resolving the NFS issue, /archive is mapped to the remote NFS server again.
Configuration
- Software logger on RHEL 7.9 with remote mapping to NFS server on /archive
- Configured logger daily archive settings and archive storage settings to use /archive
The past archived data files locally has to move to the remote NFS drive to free up local space without interrupting the entries in Event Archives.
Resolution
If NFS server issue occurred on Jul 18, previous day's (Jul 17) archive data files were archived under local /archive directory.
Check that /20220717/ directory were created under 648518346341351424 and 648518346341351425 directories in local /archive directory. These files are archived event data on Jul 17.
And check that /20220717/ directories are not created under NFS mount /archive directory.
If so, following procedure to resolve your issue.
1) Run configuration backups, just in case
For more detail, refer "Configuration Backup and Restore" section of Administrator's Guide.
2) Stop Logger services
3) Unmount /archive directory, if mounted
4) Backup files under 648518346341351424 and 648518346341351425 directories, just in case
5) Move 648518346341351424 and 648518346341351425 directories include under directory and files to temporary directory.
6) Mount NFS mount /archive
7) Move /20220717/ directories include under files, above step 5, from temporary directory to 648518346341351424 and 648518346341351425 directories under NFS mount /archive respectively
8) Start Logger services
9) Sanitize Jul 17 Event Archive, just in case.
Please refer "To sanitize an Event Archive:" section of Administrator's Guide for more detail.
10) You may delete backup files (step 4) and temporary directory if above procedure successful
Additional Information
If there are additional storage groups, Logger has each storage groups directory for archive da
URL Name
KM000009652