1. Home
    2. Security Operations
    3. Cortex XSOAR
    4. Cortex XSOAR Administrator’s Guide
    5. Manage Data
    6. Migrate Cortex XSOAR Objects to Elasticsearch
    7. Migrate Cortex XSOAR Objects to Elasticsearch for a Single Server
    End-of-Life (EoL)

    Migrate Cortex XSOAR Objects to Elasticsearch for a Single Server

    You should migrate Cortex XSOAR objects to Elasticsearch if you plan to ingest a large amount of objects.
    When you run the migration tool, parameter values specified in the
    demisto.conf
     file override values supplied for tool flags and default values. If no value exists in the
    demisto.conf
     file, values supplied in the tool flags override default values, but do not write the values to the
    demisto.config
     file. For example, if the
    db-path
     is identified in the configuration file, the tool will use the value in that file, not the value supplied or the default value, when running the tool.
    Download the migration tool
    To download the migration tool, append
    &downloadName=elasticsearch_migration_tool
     to the end of the download link that you received.
    Configuration file parameters
    The elasticsearch object should be a top-level object in the
    demisto.config
     file (within the main curly brackets). The following are the available parameters.
    Parameter
    Type
    Description
    Required
    enabled
    boolean
    Enables Elasticsearch repository.
    Mandatory
    url
    string
    URL for the Elasticsearch DB (including prefix http/https and port).
    Mandatory
    username
    string
    Username in Elasticsearch.
    Mandatory (unless API key is used)
    password
    string
    Password for the user.
    Mandatory (unless API key is used)
    apiKey
    string
    Specify an API key instead of a username and password.
    Optional
    insecure
    boolean
    Specify whether or not to verify the https certificate.
    Default: true
    Optional
    proxy
    boolean
    Specify whether to use a proxy connection to connect to Elasticsearch.
    Default: false
    Optional
    shards.<name of index>
    integer
    The number of shards for a specific index. You should set the value of the specific index to the number of CPU cores in the Elasticsearch dedicated server.
    Default: 1
    For example:
    elasticsearch.shards.
    <common-indicator>
     where
    <common-indicator>
     is the name of the index.
    Optional
    replicas.<name of index>
    integer
    The number of replica shards for a specific index. You should set the value of the specific index to the number of backups you require.
    For example,
    elasticsearch.replicas.
    <common-indicator>
    where
    <common-indicator>
     is the name of the index.
    Default: 0
    Optional
    innerBatchSize
    integer
    Number of Cortex XSOAR objects to include in a single insert request.
    Optional
    indexPrefix
    string
    Prefix to include in index names for indexes created by Cortex XSOAR.
    Optional
    maxResultWindow
    integer
    Maximum number of results to request from Elasticsearch in a single page.
    Default: 1000
    Optional
    For example:
    
				“elasticsearch”: {
         “enabled”: true,
         “url”: “http://localhost:9200”,
         “username”: “user”,// Username in elastic
         “password”: “password”,
         “apiKey”: “”, // an API key can be specified instead of username and password
         “shards”: { 
                “common-indicator”: 1
                “common-audit”: 1
              },
         “replicas”: { 
                “common-indicator”: 0
                “common-audit”: 0
              }
        },
    Tool flags
    Flag
    Type
    Description
    Required
    -accounts
    string
    A comma-separated list of accounts to migrate. If not specified, all accounts are migrated.
    Multi-tenant deployments only.
    Optional
    -config-path
    string
    The path to the configuration file for the server.
    The default path is
    /etc/demisto.conf
    .
    Optional
    -db-path
    string
    The path to the database directory.
    The default path is
    /var/lib/demisto
    .
    Optional
    -elastic-batch-size
    integer
    The number of indicators per batch to write to Elasticsearch indexes.
    The default value is 500.
    Optional
    -elastic-index-prefix
    string
    The index prefix used in Elasticsearch.
    Optional
    -elastic-key
    string
    The API key to connect to Elasticsearch.
    Optional
    -elastic-password
    string
    The password to connect to Elasticsearch.
    Optional
    -elastic-url
    string
    The URL of your Elasticsearch environment.
    The default is http://localhost:9200.
    Optional
    -elastic-username
    string
    The username to connect to Elasticsearch.
    Optional
    -log-level
    string
    The log level to display.
    The default is
    info
    .
    Optional
    -migrate-all
    N/A
    By default, the Elasticsearch tool checks existing indexes and migrates only the ones that are new. Using this flag, the Elasticsearch tool migrates all indexes even if they currently exist. This is useful, for example, if there was an error or invalid data that was fixed.
    Optional
    Prerequisites
    Run all commands from the Cortex XSOAR server machine.
    1. Stop the Cortex XSOAR server.
      • CentOS:
        sudo systemctl stop demisto
      • Ubuntu:
        sudo service demisto stop
    2. Edit the
      demisto.conf
       as needed.
    3. Run the
      ./elasticMigrator
       command with either
      demisto
       or
      sudo
       permissions.
      ./elasticMigrator
    4. Start the Cortex XSOAR service.
      • CentOS:
        sudo systemctl start demisto
      • Ubuntu:
        sudo service demisto start

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo