Archive Live Logger Data

Does not apply in a SaaS environment

You must archive all live data in Logger before you attempt the migration process.

Configure the Archive Storage Setting

Required only if you have not previously configured this setting

If you are using the Logger Appliance, create the NFS or CIFS mount point. For more information, see the Storage and Remote File System sections on Chapter 6 of the Administrator's Guide to ArcSight Logger. If you are using Software Logger and intend to use an NFS or CIFS mount point, ensure that the external storage point is mounted on the machine on which Logger is installed. For more information, see your system’s operating system documentation.

  1. Go to Configuration > Storage > Archive Storage Settings.

  2. Specify a mount location and an archive path for each storage group. You can specify a different path for each storage group, thus enabling Logger to archive events to a different location for each storage group.

    You can configure settings for all storage groups on the Archive Storage Settings page even if you do not intend to archive all of them. Logger enables you to only save the storage group paths that have a mount configured and ignore the empty fields.

    • On Logger Appliances: Select (from the list box) a path in the Archive Path field appended to the path specified in the mount location. This location can be an NFS mount, CIFS mount, which is configured using the Logger user interface.

      For example, if the mount location you selected refers to the path /opt/ARCHIVES, and the archive directory in that location is archivedir, then specify archivedir in the Archive Path field.

    • On Logger Software: Enter a complete path where the archive file will be written in the Archive Path field. This path could be a local directory or a mount point already established on the Logger host.

    Tip: On Software Loggers, the Mount Location field does not exist.

  3. Click Save.

If all fields are blank or without any changes, Logger will display the message No changes have been made message. Otherwise, Logger will acknowledge the configuration with the message Archive Storage Settings saved successfully.

 

Add an Event Archive

  1. Open the Configuration > Storage > Event Archives.

  2. Click Add in the Event Archives page.

  3. For Name, enter a meaningful name for the new Event Archive.

  4. Specify the Start and End dates in the mm/dd/yy format.

    When the Start and End dates are different, the system creates one archive file per storage group, for each specified day. For example, that will be the case when you specify the following Start and End dates:

    Start Date: 8/12/19

    End Date: 8/13/19

    Note: If a day's events have already been archived, you will not be able to archive them again. If you try to archive the same day's events twice, Logger will display a message with the already archived day or dates. If you are archiving a range of dates and some of them have been archived, the archive process will complete, skipping any days already archived, and a message will display the

    And, if you configure both storage groups—Internal Event Storage Group and Default Storage Group, four archive files will be created as a result of this archive operation—two files per storage group for the specified two days.

    The Event Archives table in the Event Archives page lists the archives by an alias in the following format:

    <archive_name> [<yyyy-m-dd>] [<storage_group_name>]

  5. Select the names of the storage groups that need to be included in the archive.

  6. Click Save to start archiving events, or Cancel to quit.

Note: You can cancel an in-progress archive operation at any time using the Cancel link that displays on top of the Event Archives page.
If corruption cases have been detected before, please check how To sanitize an Event Archive in chapter 5 of the Administrator's Guide for ArcSight Logger.