Reindex the audit log to recover audit trail historical
data in Cortex XSOAR
When you reindex the Cortex XSOAR database,
the audit trail is not reindexed by default and is deleted. You
can reindex the audit trail, and it will recover all of the audit
trail historical data.
Recovering the historical data
may take some time to complete, depending on the data. Your server
will not be available during the reindexing process.
(
Multi-tenant
)
- To reindex the audit log for a tenant, follow these instructions
with the multi-tenant paths provided below. To reindex the audit
logs for multiple tenants, perform these steps for each tenant separately.
Stop the Cortex XSOAR service.
sudo service demisto stop
Backup the index directory
/var/lib/demisto/data/demistoidx
.
The backup of the index directory should not be stored
under
/var/lib/demisto
.
(
Multi-tenant
) - For mult-tenant deployments,
backup
/var/lib/demisto/tenants/acc_
TENANT_NAME
/data/demistoidx
.
The backup of the index directory should not be stored under
/var/lib/demisto/tenants/acc_
TENANT_NAME
.
Delete the index folder.
sudo rm -rf /var/lib/demisto/data/demistoidx
(
Multi-tenant
) For multi-tenant deployments, delete
the folder
/var/lib/demisto/tenants/acc_
TENANT_NAME
/data/demistoidx
.
Include historical data in the reindex by editing the
/etc/demisto.conf
file
to add
server.audits.restore: true
Start the Cortex XSOAR service.
sudo service demisto start
After the server has been restarted and you can view
your audit logs, edit the
