Highlighted
aritra Absent Member.
Absent Member.
559 views

Moving event archives to remote location

In a live scenario, we eventually need to move event archives (that have aged off) from our logger or ESM setup to an external storage in order to adhere to compliance. I believe these events are no longer searchable, but can be retrieved by loading or making them searchable using the respective User interfaces.

Now, this is an excerpt from ESM's Command Center Guide: Archives are ordinary directories containing a day’s events. Use basic operating system file commands to move the /opt/arcsight/logger/data/archives directories to another location, and to move them back at a later point.

And this one's from Logger: Do not move the archived files from their archive location. The archives that have been moved from the originally archived location cannot be loaded on to the Logger. If you need to delete the archives, use the Logger user interface to do so.

Does this mean that it is possible to move archives to remote location in CORRE but not in Logger? Has anyone tried and faced this issue?

Thanks!

Aritra Gautam

Labels (3)
0 Likes
2 Replies
Jay_Hung Absent Member.
Absent Member.

Re: Moving event archives to remote location

Hi Aritra,

For my experience, it's possible to move archives to remote location in both ESM with CORR-E and Logger. Moving event archives to remote location is normal process. But remember to keep the archive listed in Logger. When you want to "restore" (enable) the archive, just move it back from the remote location to the original archive location where you moved from.

Hope it is helpful to you.

Jay.

0 Likes
Trusted Contributor.. manyanwu@arcsig1 Trusted Contributor..
Trusted Contributor..

Re: Moving event archives to remote location

Hi Aritra,

I believe the comments "Do not move the archived files from their archive location. The archives that have been moved from the originally archived location cannot be loaded on to the Logger. If you need to delete the archives, use the Logger user interface to do so" applied to logger .5.1 or earlier versions, and may not have been updated on the current/latest logger release (assuming you're quoting from the latest logger doc (Logger 6 and above).

Moving archived logger data off of logger 6 and above should be ok.

*the above is my 2 cents*

Hope it helps

Michael

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.