Migrating Cortex XSOAR data to Elasticsearch. Object
information in an existing Cortex XSOAR instance is copied to a
designated Elasticsearch index.
Elasticsearch is a distributed, open source search and
analytics engine for all types of data. It enables processing and
storing large amounts of data.
When you migrate the objects that exist in Cortex XSOAR to Elasticsearch,
they are moved to a designated index used by a specific Elasticsearch
instance. Every Elasticsearch index is composed of at least one
primary shard where the data is stored. A replica shard is a copy
of a primary shard. Replicas provide redundant copies of your data
to protect against hardware failure and increase capacity to serve read
requests like searching or retrieving data.
The following diagram depicts a Cortex XSOAR environment with
The number of primary shards in an index is fixed at the time
that an index is created, but the number of replica shards can be
changed at any time, without interrupting indexing or query operations.
In order to move to Elasticsearch, you must have Cortex XSOAR
v6.0 and Elasticsearch installed. We recommend that you install
Elasticsearch on a different server than Cortex XSOAR due to the
high memory consumption for both services.
You perform the migration by running the migration tool, which
is a standalone binary file. The binary file must be run with either
The migration tool uses the
to read the following information:
You must stop the Cortex XSOAR server
before you run the migration tool. This enables the tool to safely
access the database and required configurations.
The migration tool begins by reading the Cortex XSOAR database
to identify existing partitions and custom fields. It then creates
the index (if it does not already exist) based on the Elasticsearch
configuration in the
based on the Elasticsearch default configurations set in the Elasticsearch
cluster setting. After Elasticsearch is successfully configured,
the tool reads each partition, from older to newer, and copies all
objects to the index. Duplicate objects are overridden, taking only
the latest version of the object.
When working with Elasticsearch, Cortex XSOAR does not maintain,
nor is it responsible, for the following:
Moving data from the Elasticsearch database back to the
Cortex XSOAR Bolt database is not supported.