End-of-Life (EoL)

Reindex the Audit Log

Reindex the audit log to recover audit trail historical data in Cortex XSOAR
When you reindex the Cortex XSOAR database, the audit trail is not reindexed by default and is deleted. You can reindex the audit trail, and it will recover all of the audit trail historical data.
Recovering the historical data may take some time to complete, depending on the data. Your server will not be available during the reindexing process.
(
Multi-tenant
) - To reindex the audit log for a tenant, follow these instructions with the multi-tenant paths provided below. To reindex the audit logs for multiple tenants, perform these steps for each tenant separately.
  1. Stop the Cortex XSOAR service.
    sudo service demisto stop
  2. Backup the index directory
    /var/lib/demisto/data/demistoidx
    .
    The backup of the index directory should not be stored under
    /var/lib/demisto
    .
    (
    Multi-tenant
    ) - For mult-tenant deployments, backup
    /var/lib/demisto/tenants/acc_
    TENANT_NAME
    /data/demistoidx
    . The backup of the index directory should not be stored under
    /var/lib/demisto/tenants/acc_
    TENANT_NAME
    .
  3. Delete the index folder.
    sudo rm -rf /var/lib/demisto/data/demistoidx
    (
    Multi-tenant
    ) For multi-tenant deployments, delete the folder
    /var/lib/demisto/tenants/acc_
    TENANT_NAME
    /data/demistoidx
    .
  4. Include historical data in the reindex by editing the
    /etc/demisto.conf
    file to add
    server.audits.restore: true
  5. Start the Cortex XSOAR service.
    sudo service demisto start
  6. After the server has been restarted and you can view your audit logs, edit the
    /etc/demisto.conf
    file to delete
    server.audits.restore: true

Recommended For You