Reindex the Audit Log - Administrator Guide - 6.8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.8
Creation date
2022-09-28
Last date published
2024-03-21
End_of_Life
EoL
Category
Administrator Guide
Abstract

Reindex the audit log to recover audit trail historical data in Cortex XSOAR

When you reindex the Cortex XSOAR database, the audit trail is not reindexed by default and is deleted. You can reindex the audit trail, and it will recover all of the audit trail historical data.

Note

Recovering the historical data may take some time to complete, depending on the data. Your server will not be available during the reindexing process.

Note

(Multi-tenant) - To reindex the audit log for a tenant, follow these instructions with the multi-tenant paths provided below. To reindex the audit logs for multiple tenants, perform these steps for each tenant separately.

  1. Stop the Cortex XSOAR service.

    sudo service demisto stop

  2. Backup the index directory /var/lib/demisto/data/demistoidx.

    The backup of the index directory should not be stored under /var/lib/demisto.

    (Multi-tenant) - For mult-tenant deployments, backup /var/lib/demisto/tenants/acc_TENANT_NAME/data/demistoidx. The backup of the index directory should not be stored under /var/lib/demisto/tenants/acc_ TENANT_NAME .

  3. Delete the index folder.

    sudo rm -rf /var/lib/demisto/data/demistoidx

    (Multi-tenant) For multi-tenant deployments, delete the folder /var/lib/demisto/tenants/acc_TENANT_NAME/data/demistoidx.

  4. Include historical data in the reindex by editing the /etc/demisto.conf file to add server.audits.restore: true

  5. Start the Cortex XSOAR service.

    sudo service demisto start

  6. After the server has been restarted and you can view your audit logs, edit the /etc/demisto.conf file to delete server.audits.restore: true