Reindex the audit log to recover audit trail historical
data in Cortex XSOAR
When you reindex the Cortex XSOAR database,
the audit trail is not reindexed by default and is deleted. You
can reindex the audit trail, and it will recover all of the audit
trail historical data.
Recovering the historical data
may take some time to complete, depending on the data. Your server
will not be available during the reindexing process.
- To reindex the audit log for a tenant, follow these instructions
with the multi-tenant paths provided below. To reindex the audit
logs for multiple tenants, perform these steps for each tenant separately.
Stop the Cortex XSOAR service.
sudo service demisto stop
Backup the index directory
The backup of the index directory should not be stored
) - For mult-tenant deployments,
The backup of the index directory should not be stored under
Delete the index folder.
sudo rm -rf /var/lib/demisto/data/demistoidx
) For multi-tenant deployments, delete
Include historical data in the reindex by editing the
Start the Cortex XSOAR service.
sudo service demisto start
After the server has been restarted and you can view
your audit logs, edit the