Copying Logger Data to ArcSight SaaS

You must run the Archive Migration Tool on each Logger from which you want to copy data to ArcSight SaaS. The first time the tool runs, you will be prompted to configure the Amazon S3 bucket that stores the copied Logger Data. Note that you can reconfigure the bucket at any time after that initial configuration.

After the bucket has been configured, select the Logger archives that you want to copy to ArcSight SaaS. You can configure the tool to schedule the copy of Logger Data to the Amazon S3 bucket at specific times, instead of running it manually. The tool copies the files pertaining to the selected archives to the Amazon S3 bucket.

Once the copy process is completed, an Archive Catalog file is generated. This file contains metadata information about the archives that have been copied so far, plus additional information about Logger, such as its storage groups and their retention.

The Archive Catalog file is copied to the Amazon S3 bucket in a folder named:

Bucket_Name/event-sync/logger-archives/Tenant_ID/Logger_IP_Without_Dots/

The copied Logger archives' files will be available in folders such as:

Bucket_Name/event-sync/logger-archives/Tenant_ID/Logger_IP_Without_Dots/Storage_Group_ID/YearMonthDay/

Every time the tool runs, and new Logger data is copied to ArcSight SaaS, the Archive Catalog file will be updated to include the information about the newly copied data.

If the Logger event ingestion was not turned off before running the tool, you might have some new events that will need to be copied. Archive the new events and run the Archive Migration tool to copy them.

The Logger process needs to be up and running for Phase 1 of copying Logger Data to ArcSight SaaS. Once all the Logger archives' data has been copied, and the connectors have been switched to send events to ArcSight SaaS, you can choose to shutdown the Logger process.