Import Logger Events

Not available to customers in the ArcSight SaaS environment.

Select Configuration > Import Logger Data > Logger Data Import.

This option will allow you to bring events from a Logger instance to the ArcSight Database and perform searches on them. Since this process consumes both time and resources, consider importing only events in necessary time ranges.

Before you can migrate Logger data, you must import the metadata that defines it.

 

Import Archived Events

Before importing Archived Events, ensure that you have performed the process from the Logger side first.

Note: For more information, see "Migrating Logger Data to the ArcSight Database" in the guide corresponding to your deployment:

  1. Select Configuration > Import Logger Data > Logger Data Import.

  2. Click +.

  3. Select the Logger host of your preference.

    You can choose only one host at a time.

  4. Specify the time range that you want to import, following these considerations:

    • The time range is based on receipt time.
      • Convert the time range you wish to search through from browser time/selected time zone to UTC.

      That way, once the data is imported, you can search through it using the original browser time/selected time zone.
    • The migration only allows you to migrate a minimum time range of 1 day.
    • Specify a date in the past. You cannot import data for future dates as it will import no events and will cause issues when you try to import new data again.
    • Overlapping dates will cause an error message. If this is not the first import of this Logger instance, ensure to select a time range different than the one already imported.
      • Select a data-time range different than the one already imported. To confirm the host's start and end dates already available in the ArcSight Database, see how to verify the migration table in Review Migration Details

  5. Click Import.

  6. To check the import progress, view the Import Status column.

    The import will take a considerable amount of time, based on the quantity of events that are present in the time range selected.

  7. (Optional) If the import is interrupted, you can attempt to resume the process.

    Alternatively, you can delete an incomplete migration.

 

Review Migration Details

Note: Ensure that you comply with the prerequisites before importing data. For more information, see Prerequisites and Considerations for Importing Logger Data in the guide corresponding to your deployment:

The migrations table will display the most relevant information of all the imports executed. For each migration, the system registers the following details:

Logger Host
Represents the Logger IP address or host name. For example, 12.345.67.890 or logger6.extremelyfocused.com.
Data Start Date
Indicates the absolute date of the earliest possible event.
Data End Date
Indicates the absolute date of the latest possible event.
Import Date
Indicates the migration date and time displayed in the ArcSight Database timezone.
Import Status

Indicates the status of the import process.

  • Initialized: The verification of the archives corresponding to the requested time range is being performed.
  • In progress: Import is still in progress. Archived events are being extracted, read and sent to the ArcSight Database.
  • Complete: Successfully imported the data.

  • Failed: The archives are inaccessible, which can be caused by:

    • An unresponsive mount

    • A network connectivity issue

    • A user who doesn't have the correct access permissions

    • Data that couldn't be uncompressed, etc

Event Count
Indicates the number of events migrated. This number increases automatically as the process continues.
Logger Host User Name
Indicates the OS username associated with the Logger host.
Data Import ID
Represents the unique identifier for the event migration. You must have this value to delete a migration.
 

To review details about the executed migration, see the logs in the opt/vertica/udfs/datamigration/logs/ directory.

After events have been imported, either Logger or ArcSight Platform will manage the retention policy depending on the state of the Logger processes.

Resume an Incomplete Migration

A migration might be interrupted if access to the mount or data file is affected in any way during the process: an unresponsive mount, a network connectivity issue, a user who doesn't have the correct access permissions, data that couldn't be uncompressed, etc.

An Incomplete migration can be resumed. The process starts from the last point of migration so you do not lose the data previously migrated.

  1. Select the migrations that you want to resume.

  2. Click .

A migration that continues to appear as incomplete after it has been resumed at least once, might indicate the data cannot be migrated because of corruption issues.

Check the logs for any related messages, and contact support to help finish the migration.

Delete Incomplete or Failed Migrations

It's possible that a migration might fail to complete. For example, the status is Failed or indicates that the migration is Complete but it contains no events. In these types of scenarios, you can delete the migration, then try again.

  1. Select the migrations that you want to delete.

  2. Click.