Question about event backup.
Official guide here:
But as Deepak comments - if you are interested in the content (such as users, roles, rules, reports, filters etc), you can just use a package and add what you need. If you need to backup the system and the events themselves you will need the guide above for this.
One word of caution though - if you turn on archiving AND you keep those files somewhere else (such as on a separate filesystem or server), you have YESTERDAYS log data! That means you can turn on archiving and have yesterdays logs saved for you automatically. Its a running process and effectively is a daily backup of the logs. If you have archives and the system configuration (see the guide above), you can easily recover the system and use the archives for access to the log data. Its not quite the same as a daily backup (hence the reason why its called an archive), but it does work and is very simple.
Thanks for your answer, I did exactly what you suggest about the arcsigth resources, but my questions was about the actual logs that the express is receiving / pulling.
So is it possible then to have the logs in the "new" express (exact model and versions), i beleive support says that the metadata is not compatible.