Event and Raw Data Migration in Sentinel
Problem and limitations:
Limitation with the current utilities available in Sentinel server:
- "backup_util.sh" under bin directory has a limitation that a user can only take a backup and restore on the same Sentinel version.
- The process of backup and restore with this script will also take longer than the approach we are going to use.
"Slink Integrator and Slink Action"
- User can perform a search in Sentinel UI and can perform event action to forward the events to another Sentinel server using Slink Integrator and action.
- This approach has performance limitations. Forward can happen with a specific batch size of events, search results by default 50k events and can forward only that in one shot.
Here is the really cool solution to address the migration, the event and raw data problem which we have described above:
Sentinel Event and Raw data Migration:
- Sentinel stores the primary storage partitions in the /var/opt/novell/sentinel/data/eventdata directory, which is on the local file system.
- Copy all the partitions from the source location to the Target server in the same location. (Make sure you have Novell permission set)
- Login to Target WeBUI-->Storage-->Events
- Refresh the UI to load the restored partitions under WeBUI-->Storage-->Events “Restored Data” and Select all the partitions and Click “Apply”.
Slink connector does not store the raw data during this process of migration. Hence, we didn’t recommend the Slink approach to migrate.
In other words, if you forward the events from the source server using Slink Integrator, in the target server you will not see where the respective raw data file is being stored.
In-order to migrate the raw data. Here is the approach.
- Sentinel stores the primary storage rawdate files in /var/opt/novell/sentinel/data/rawdata/online directory, which is on the local file system.
- Copy all the sub directories under rawdata/online from source setup to the same location of target setup. (Make sure all the directories have Novell permission)
- Use the backup utility script to take the configuration data backup and restore in target setup. (You may require to choose other options in backup utility script to take other configuration data backup.
Ex, Alerts, SI, Netflow with option –i).
Backup in source setup:
./backup_util.sh -c -m backup -f /home/novell/config.tar.gz
Restore in target setup:
./backup_util.sh -m restore -f /home/novell/config.tar.gz