Migrate Cortex XSOAR Objects to Elasticsearch for a Single
Migrate Cortex XSOAR objects to Elasticsearch for a single server. Migration tool, flags.
You should migrate Cortex XSOAR objects to Elasticsearch if you plan to ingest a large amount of objects.
In the BoltDB, data related to incidents and indicators is stored by month in partitions. To minimize downtime during migration, it is recommended to create a copy of the database and migrate data that is older than three months from the copied database. This enables you to continue to work in your current environment. As soon as the initial migration completes, migrate the remaining months.
If you are working in an environment with remote repositories, you must run the migration separately on each environment. For example, if both your development and production environments are going to be used with an Elasticsearch database, you must migrate each of those environments, and each environment must use a different index prefix.
All commands are run from the Cortex XSOAR server machine.
To migrate your data, use the migration tool. You cannot run more than one migration tool process at a time.
Always migrate older data before newer data. Migrating partitions out of order can cause duplicate incident ids.
- Download the migration tool by appendingdownloadName=elasticsearch_migration_tool_6_1_0to the end of the download link that you received, when installing Cortex XSOAR.
- Copy your database and migrate data from the copy database to Elasticsearch.
- Copy the Cortex XSOAR database by doing one of the following:
- Copy thedemisto.conffile.
- Edit the copy of thedemisto.conffile, by adding your Elasticsearch configuration.Ensure thatelasticsearchis the top-level object in thedemisto.configfile (within the main curly brackets).
- Usingdemistoorsudopermissions, run the following command:sudo ./elasticMigrator -config-path<file path-of-copy-of-demisto.conf>-db-path<path-of-the-copy-of-the-demisto-database>-<flags>For a full list of the flags, see Migration Tool Flags. For example, to exclude the last 3 partitions from the migration, add the-partitions-to-ignoreflag and value to the command by typing the following:sudo ./elasticMigrator -config-path /usr/local/dev/copy_of_demisto.conf -db-path /usr/local/dev/lib_demisto_copy/data -partitions-to-ignore '042021,052021,062021'When you run the migration tool, parameter values specified in thedemisto.conffile override values supplied for tool flags and default values. If no value exists in thedemisto.conffile, values supplied in the tool flags override default values, but do not write the values to thedemisto.configfile.
- Complete steps 1 to 3 in Validate the migration.
- After the migration of the data is complete and validated, migrate your data from the active database to Elasticsearch.
- Create a backup copy of thedemisto.conffile for your active database.
- Edit thedemisto.conffor your active database to add your Elasticsearch configuration.
- Stop the Cortex XSOAR server by running one of the following commands:
- CentOS:sudo systemctl stop demisto
- Ubuntu:sudo service demisto stop
- Usingdemistoorsudopermissions, run the following command:sudo ./elasticMigrator -config-path<file path-of-demisto.conf>-db-path<path-of-the-demisto-database>-<flag>If you have any remaining data (such as the last 3 months partitions), migrate the remaining months from the active database to Elasticsearch, by adding the-partitionsflag to theelasticMigratorcommand.For example,sudo ./elasticMigrator -partitions '.042021,052021,062021'When you run the migration tool, parameter values specified in thedemisto.conffile override values supplied for tool flags and default values. If no value exists in thedemisto.conffile, values supplied in the tool flags override default values, but do not write the values to thedemisto.configfile.
- Validate the migration (all steps).
Migration Tool Flags
A comma-separated list of accounts to migrate. If not specified, all accounts are migrated.
The path to the configuration file for the server. Default: /etc/demisto.conf.
The path to the database directory. Default: /var/lib/demisto.
The number of indicators per batch to write to Elasticsearch indexes. Default: 700.
The index prefix used in Elasticsearch.
The API key to connect to Elasticsearch.
Required (unless a username and password are used)
The password to connect to Elasticsearch.
required (unless API key is used)
The URL of your Elasticsearch environment. Default: http://localhost:9200.
The username to connect to Elasticsearch.
required (unless API key is used)
The path to the file with the IDs to ignore, per object.
The log level to display. Default: info.
The location of the log file.Default: /var/log/demisto/elastic_migration.log
By default, the Elasticsearch tool checks existing indexes and migrates only the ones that are new. Using this flag, the Elasticsearch tool migrates all indexes even if they currently exist. This is useful, for example, if there was an error or invalid data that was fixed. When used, the objects-to-migrate and objects-to-ignore flags are ignored.
Comma-separated list of objects not to migrate. When the migrate-all flag is used, this flag is ignored.
Comma-separated list of objects to migrate. When the migrate-all flag is used, this flag is ignored.
Comma-separated list of partitions to migrate. If no partitions are specified, all partitions are migrated.
Comma-separated list of partitions to exclude.
Show results of the previous migration.
Existing indicators are not modified during the migration.
Prints the migration tool version.
Answers yes to all questions, unless there is an error.
Recommended For You
Recommended videos not found.