Stopping Event Ingestion for the ArcSight Database

If your environment has the ArcSight Database deployed or you are replacing an existing instance of the database, you must perform this group of procedures before upgrading the database or installing the new instance. To prevent the upgraded or replaced database from ingesting duplicate data, this process stops some services and creates a script for assessing the status of event processing. For example, you need to stop the Kafka scheduler and pause the database’s watchdog service to prevent it from restarting the Kafka scheduler in the database.

The database ingests events using the Kafka scheduler. You need to know whether the database that you want to upgrade or replace has the most current events or is still processing a backlog of events so that you can stop all the components once they have read the same messages. To identify whether the scheduler is current, you must review the offset values that are based on the number of partitions in the mf-event-avro-enriched topic. The offset indicates how far apart the deployed capabilities and the database are when reading from the topic.

• Checklist: Stopping Event Ingestion
• Stopping the Database Event Consumer
• Stopping the Intelligence Event Consumers
• Preventing the Database from Consuming Duplicate Events