Migrate a Single Instance for High Availability
Instructions for migrating your Cortex XSOAR single instance deployment to a highly available installation of Cortex XSOAR. High availability.
To migrate a single instance from BoltDB to Elasticsearch with High Availability, there are two steps. First use the Cortex XSOAR migration tool to migrate the database. Then set up additional app servers to achieve high availability.
The migration tool migrates Cortex XSOAR objects to an Elasticsearch database. When you run the migration tool, the contents of the Cortex XSOAR database are read, and a corresponding object is created in Elasticsearch.
When you run the migration tool, parameter values specified in the demisto.conf file override values supplied for tool flags and default values. If no value exists in the demisto.conf file, values supplied in the tool flags override default values, but do not write the values to the demisto.config file. For example, if the db-path is identified in the configuration file, the tool will use the value in that file, not the value supplied or the default value, when running the tool.
You cannot run more than one migration tool process at a time.
If you are upgrading from Cortex XSOAR 6.0 to 6.1 and you have indicators and audits stored in Elasticsearch in Cortex XSOAR 6.0, upgrade from Cortex XSOAR 6.0 to 6.1 before the migration. Do NOT start the server. Then follow the migration instructions below.
Before you begin, ensure the following:
- You have an active instance of Cortex XSOAR v6.1.
- All app servers can communicate with Elasticsearch over port 9200.
- All app servers have network access to each other over port 443.
Configuration File Parameters
The Elasticsearch object should be a top-level object in the demisto.config configuration file (within the main curly brackets).
Migration Tool Flags
A comma-separated list of accounts to migrate. If not specified, all accounts are migrated.
The path to the configuration file for the server. Default: /etc/demisto.conf.
The path to the database directory. Default: /var/lib/demisto.
The number of indicators per batch to write to Elasticsearch indexes. Default: 700.
The index prefix used in Elasticsearch.
The API key to connect to Elasticsearch.
Required (unless a username and password are used)
The password to connect to Elasticsearch.
required(unless API key is used)
The URL of your Elasticsearch environment. Default: http://localhost:9200.
The username to connect to Elasticsearch.
required(unless API key is used)
The path to the file with the IDs to ignore, per object.
The log level to display. Default: info.
The location of the log file.Default: /var/log/demisto/elastic_migration.log
By default, the Elasticsearch tool checks existing indexes and migrates only the ones that are new. Using this flag, the Elasticsearch tool migrates all indexes even if they currently exist. This is useful, for example, if there was an error or invalid data that was fixed. When used, the objects-to-migrate and objects-to-ignore flags are ignored.
Comma-separated list of objects not to migrate. When the migrate-all flag is used, this flag is ignored.
Comma-separated list of objects to migrate. When the migrate-all flag is used, this flag is ignored.
Comma-separated list of partitions to migrate. If no partitions are specified, all partitions are migrated.
Show results of the previous migration.
Does not migrate multi-tenant accounts. When set to true, only the main tenant or host database are migrated.
Existing indicators are not modified during the migration.
Prints the migration tool version.
Answers yes to all questions, unless there is an error.
In the BoltDB, data related to incidents and indicators is stored in partitions by month. To minimize downtime during the migration, we recommend you create a copy of the database, then migrate data that is older than three months from the copy, while continuing to work in your current environment. Once the initial migration is completed, you should then migrate the last three months.
- Copy thedemisto.licfile from/usr/local/demistodirectory to the/var/lib/demistodirectory.
- Add the following entry in thedemisto.conffile:license.file.path:"/var/lib/demisto"
- Download the migration tool:AppenddownloadName=elasticsearch_migration_tool_6_1_0to the end of the download link that you received.
- Follow migration instructions:
- If you used Elasticsearch to store indicators and audits in Cortex XSOAR 6.0 prior to upgrade, ensure the demisto.conf file is up-to-date with the ES object and then Migrate an Existing Elasticsearch Deployment.
When working in a high availability configuration, you must define a shared file system, so the standard /var/lib/demisto/ directory is shared between all of the application servers.
If you are implementing high availability and have not configured your load balancer to provide SSL, ensure that you have the same certificates for all the app servers and that the web certificate contains all the app server and load balancer URLs.
Recommended For You
Recommended videos not found.