Import Logger Data
Does not apply in a SaaS environment
This option will allow you to bring events from a Logger instance to the ArcSight Databse and perform searches over the migrated data. Since this is process consumes both time and resources, consider migrating only data in necessary time ranges.
Import Data
Before importing data, review Prerequisites for Importing Logger Data.
-
Select Configuration > Import Logger Data > Logger Data Import.
-
Click .
-
Select the Logger host of your preference.
You can choose only one host at a time.
-
Specify the time range that you want to import.
- The time range is based on receipt time.
- The migration only allows you to migrate a minimum time range of 1 day.
- Specify a date in the past. You cannot import data for future dates as it will import no events and will cause issues when you try to import new data again.
- Overlapping dates will cause an error message. If this is not the first import of this Logger instance, ensure to select a time range different than the one already imported.
-
Click .
-
To check the import progress, view the column.
The import will take a considerable amount of time, based on the quantity of events that are present in the time range selected.
-
(Optional) If the import is interrupted, you can attempt to resume the process.
Alternatively, you can delete an incomplete migration.
Review Migration Details
The migrations table will display the most relevant information of all the imports executed. For each migration, the system registers the following details:
- Logger Host
- Represents the Logger IP address or host name. For example,
12.345.67.890orlogger6.extremelyfocused.com. - Data Start Date
- Indicates the absolute date of the earliest possible event.
- Data End Date
- Indicates the absolute date of the latest possible event.
- Import Date
- Indicates the migration date and time displayed in the ArcSight Database timezone.
- Import Status
- Indicates the status of the import process:
-
- Start Migration: Confirms the Logger is reachable and can properly communicate with the system.
- In progress: Import is still in progress. PostgreSQL is downloaded to allow data to be extracted, read, and sent to the ArcSight Database.
- Complete: Successful import execution.
- Failed: Unavailable connections due to an unreachable Logger. Ensure that you review the prerequisites before importing data.
- Event Count
- Indicates the number of events migrated. This number increases automatically as the process continues.
- Logger Host User Name
- Indicates the OS username associated with the Logger host.
- Data Import ID
- Represents the unique identifier for the event migration. You must have this value to delete a migration.
To review details about the executed migration, see the logs in the opt/vertica/udfs/datamigration/logs/ directory.
After events have been imported, the retention policy will be managed by Logger or the Fusion capability, depending on the state of the Logger processes.
Resume an Incomplete Migration
A migration might be interrupted if access to the mount or data file is affected in any way during the process: an unresponsive mount, a network connectivity issue, a user who doesn't have the correct access permissions, data that couldn't be uncompressed, etc.
An migration can be resumed. The process starts from the last point of migration so you do not lose the data previously migrated.
-
Select the migrations that you want to resume.
-
Click
.
A migration that continues to appear as after it has been resumed at least once, might indicate the data cannot be migrated because of corruption issues.
Check the logs for any related messages, and contact support to help finish the migration.
Delete Incomplete or Failed Migrations
It's possible that a migration might fail to complete. For example, the status is or indicates that the migration is but it contains no events. In these types of scenarios, you can delete the migration, then try again.
-
Select the migrations that you want to delete.
-
Click
.