Manage Partial Migration to Elasticsearch - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-03-28
End_of_Life
EoL
Category
Administrator Guide
Abstract

Manage and resolve partial migrations to Elasticsearch. Run migration tool again.

After migrating to Elasticsearch, you can verify that your data was migrated in the elastic-migration-results file located in the migration directory.

If you identify that there are items that were not migrated, you can migrate those objects using the migration tool.

Note

  • You must run the migration tool from the same directory where you originally ran the migration. The migration tool reads from the elastic-migration-results file located in the migration directory to determine which data must still be migrated.

  • Always migrate older data before newer data. Migrating partitions out of order can cause duplicate incident ids.

  • By default, the migration tool skips over objects larger than 100 megabytes. After the migration process runs, you can view the skipped large objects and determine whether to migrate them. For more information, see Validate the Migration to Elasticsearch.

  1. Stop the Cortex XSOAR server.

    • CentOS: sudo systemctl stop demisto

    • Ubuntu: sudo service demisto stop

  2. Run the ./elasticMigrator command with either demisto or sudo permissions.

    The migration tool identifies that a migration already executed for your environment.

  3. When prompted to view the results of the previous execution, enter yes.

    partial_migration.png

    In the figure above, for example, we can see that the audits object was not migrated.

  4. Run the ./elasticMigrator command and use the objects-to-migrate flag to migrate any items that were not migrated.

  5. Start the Cortex XSOAR service.

    • CentOS: sudo systemctl start demisto

    • Ubuntu: sudo service demisto start

  6. Validate the migration.