Highlighted
Honored Contributor.. Honored Contributor..
Honored Contributor..
671 views

ESM archive?

Hello,

I keep enduring the same issue every 6 months.  My esm archive fills up and I receive email alerts that my /opt/arcsight/logger/data/archives directory has filled up.  However, when viewing the Storage tab in ESM command center, my default storage group current size is 355 and maximum size is 900. I put a ticket in and all they say is to move files in that directory to another location.  Well, I am unable to search on events if I do that.  I need to report on events in the past 30 days.  Each folder in that directory is about 25 GB.  Archives are currently failing and I do not have my 30 days of events.

I do not understand why my directory is full when the current size does not equal or is close to my maximum size displayed in command center?

What is the point in archiving? Benefits? 

Thanks arcsight memebers!

0 Likes
4 Replies
Highlighted
Super Contributor.
Super Contributor.

Re: ESM archive?

Hi 

Are you leaving the folder structure after archiving or do you delete the folder completly? 

As far as I know, if ArcSight can see the folder name it thinks that all files are in there. Only if you delete the folder completly it will "release" the space.

It has something to do about ArcSight keeps a internal liste of how much space every folder occupies and if the folder is present then ArcSight thinks the space is taken. 

/Per 

0 Likes
Highlighted
Honored Contributor.. Honored Contributor..
Honored Contributor..

Re: ESM archive?

I move the folders to another location on the opt directory.  I only have 13 folders in the /opt/arcsight/logger/data/archives directory taking 314GB of space.  But I can't archive....?

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: ESM archive?

check logger.archive.space.allocated-in-gb parameter in opt/arcsight/logger/current/arcsight/logger/user/logger/logger.properties.  It should be 200 by default. It should be 200 by default and you can increase it. service restart is required for after changing the parameter.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: ESM archive?

Hi John,

 

The only solution for you at this moment since you really need those archives is to have a dedicated partition or network storage mounted to the same point /opt/arcsight/logger/data/archives

Keep the same structure of the folder and ownership and you will be able to search the data.

Doing this the ESM will not take into consideration the space utilised by the archive directory since they are not physically part of /opt/arcsight location and for that set logger.archive.space.allocated-in-gb to 0 from /opt/arcsight/logger/current/arcsight/logger/user/logger/logger.properties

 

Regarding your current process “move files in that directory to another location” make sure that you are moving only the offline archives not the online ones.

 

All the best,

 

Daniel

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.