I need to know where does the Case Data go into the ESM. We have a requirement of preservinfg Cases for a period of 10 years (Tape drive, Hard disks) etc. Our retention policy is 120 days. (30 Days Online and 90 days Archived). Need to retrieve all the cases and take a backup of it. Kindly advice.
Re: Case Management
ESM 5.0 introduces new functionality which allows the events associated with cases to be preserved beyond the usual retention period, when events would normally be archived.
This feature is enabled by default during installation and affects all Cases, rather than specific cases or events. During an upgrade to ESM 5.0, all existing Case events are copied from active partitions to the preserved event tables.
Note: There is a 30-minute timeout for the event preservation task during the upgrade.
If there is an issue during upgrade, this feature may be enabled after installation by running the following command from <ARCSIGHT_HOME>/bin:
With Preserve Case Events enabled, when events are added to cases (if the event is not already preserved) the event is copied from arc_event to arc_event_p tables. Event annotations and payloads will be automatically cloned to the preserved tables. Events will stay in the preserved tables until they no longer belong to any case.
The preseved event tables are:
These tables use the same indexing as the standard event tables: ET, MRT, ID.
As per ArcSight standard procedure on backup, you need to backup System configuration + arcsight database (oracle hot backup or cold backup).
During ArcSight system recovery in any case, if you have ArcSight system configuration and full arcsight database backup and redo archives from Oracle database then it's possible to restore.
I have a thought but never tested:
Export only preserved tables. On Test system, import ArcSight System configuration and import preserved tables. Not sure how this works, let me know if any one tried this or other thoughts to backup only case tables and trend tables.
Re: Case Management
Thanks for the response. One question though. How do I know that cases are already being preserved? Our retention period is 120 days (30 Days online and 90 days Inactive).
If they are being preserved to arc_event_p tables, what is the default size of of the table? I am unable to find KB 3223, if you have a copy of it then please share.
Appreciate your response.