Data Migration
Migrate Elasticsearch Data
Pre-requisites
|
Service account permissions |
Storage |
|
Local system account |
Service user account |
|
| Local drives |
Should have sufficient read and write permissions. |
Should have sufficient read and write permissions. |
Sufficient disk space should be provided. |
| Network drives |
Local system account cannot be used. |
- The network path should be accessible from the EventLog Analyzer machine using the service user account.
- Should have sufficient read and write permissions for that service user account.
- There should be no interruption in connectivity to the network share.
|
System requirements
- For optimal performance, 10ms or lower latency is recommended, and it should not exceed 100ms.
- 50% of the server's RAM should be kept free for off-heap utilization of Elasticsearch for optimal performance.
Overview of Elasticsearch (ES) data paths
ES directories
- ES\repo folder contains temporary files for ES archives
- ES\data folder contains data
- ES\archive folder contains ES archives
- ES\repo, ES\data and ES\archive should never point to the same folder
Examples:
For remote network path use the following format:
- path.data : ["//remote machine name/shared folder/data"]
- path.repo : ["//remote machine name/shared folder/repo"]
For Windows local storage, use the following format:
- path.data : ["C:\\ManageEngine\\EventLog Analyzer\\ES\\data"]
- path.repo : ["C:\\ManageEngine\\EventLog Analyzer\\ES\\repo"]
For Linux local storage, use the following format:
- path.data : ["/opt/ManageEngine/EventLog Analyzer/ES/data"]
- path.repo : ["/opt/ManageEngine/EventLog Analyzer/ES/repo"]
Steps to migrate Elasticsearch data to a new location
Case 1: EventLog Analyzer is integrated with Log360 and is installed with Log360 installer (Bundled)
In this case, EventLog Analyzer uses a common Elasticsearch that is shared with the other modules.
Note: Here, only one Elasticsearch will be in use and it can be located in Log360 Admin > Administrator > Search Engine Management. By clicking on Details, we can see that it is running from <ManageEngine>\elasticsearch\ES folder. (Refer to Figure 1)
Figure 1: Details of the Elasticsearch node running location
Here are the steps to migrate data for EventLog Analyzer bundled with Log360:
- Shutdown EventLog Analyzer and Log360.
- Shutdown common ES.
- Open Command Prompt as the Administrator in <ManageEngine>\elasticsearch\ES\bin
- Run stopES.bat
- Copy the data directory from <ManageEngine>\elasticsearch\ES\data to the new location.
- Navigate to <ManageEngine>\elasticsearch\ES\config\elasticsearch.yml, and update path.data to include the new data location. (Refer to Figure 2)
- Update path.repo in <ManageEngine>\elasticsearch\ES\config\elasticsearch.yml to the new repository location (parallel to the new data path).
- Start the Log360 application along with its EventLog Analyzer module.
Figure 2: Update path.data and path.repo to new location
Case 2: EventLog Analyzer as a standalone setup (Not integrated with Log360)
Note: In this case, Elasticsearch will be running from <ManageEngine>\EventLog Analyzer\ES.
Here are the steps to migrate data for standalone EventLog Analyzer:
- Shutdown EventLog Analyzer.
- Copy the data directory from <ManageEngine>\EventLog Analyzer\ES\data to the new location.
- Create a folder with the name archive (parallel to the new data directory).
- Move the files from <ManageEngine>\<EventLog Analyzer>\ES\archive folder to the new folder named archive.
- Navigate to <ManageEngine>\<EventLog Analyzer>\ES\config\elasticsearch.yml, and update path.data to include the new data location. (Refer to Figure 2)
- Update path.repo in <ManageEngine>\<EventLog Analyzer>\ES\config\elasticsearch.yml to the new repository location (parallel to the new data path).
- Start EventLog Analyzer.
Case 3: EventLog Analyzer is manually integrated into Log360
Note: In this case, EventLog Analyzer will be using its existing Elasticsearch (Local ES) and common ES (after integration with Log360). Since two Elasticsearch instances are in use, the same can be found in Log360 Admin > Administrator > Search Engine Management. By clicking on Details, we can see the running locations of both ES instances. (Refer to Figure 3)
Figure 3: Details of the running location Elasticsearch nodes
Here are the steps to migrate data for EventLog Analyzer integrated with Log360:
- Shutdown EventLog Analyzer and Log360.
- Shutdown common ES.
- Open Command Prompt as the Administrator in <ManageEngine>\elasticsearch\ES\bin
- Run stopES.bat
There are two running Elasticsearch nodes for which we need to migrate data:
A. Migrating common ES data
- Copy the data directory from <ManageEngine>\elasticsearch\ES\data to the new location.
- Navigate to <ManageEngine>\elasticsearch\ES\config\elasticsearch.yml, and update path.data to include the new location. (Refer to Figure 2)
- Update path.repo in <ManageEngine>\elasticsearch\ES\config\elasticsearch.yml to include the new repository location (parallel to path.data).
B. Migrating local ES data
Note: The path here should be different from the one given for common ES.
- Copy the data directory from <ManageEngine>\EventLog Analyzer\ES\data to the new location.
- Navigate to <ManageEngine>\<Eventlog>\ES\config\elasticsearch.yml, update path.data to include the new location. (Refer to Figure 2)
- Update path.repo in <ManageEngine>\<Eventlog home>\ES\config\elasticsearch.yml to the same repository location as that of common ES.
- Create a folder with the name archive (parallel to the new data directory).
- Move the files from <ManageEngine>\<Eventlog>\ES\data to the new location.
- Move the files from <ManageEngine>\<Eventlog>\ES\archive folder to the new folder named archive.
- Start Log360 and EventLog Analyzer.
Migrate Archive Data
Pre-requisites
|
Service account permissions |
Storage |
|
Local system account |
Service user account |
|
| Local drives |
Should have sufficient read and write permissions. |
Should have sufficient read and write permissions. |
Sufficient disk space should be provided according to the archives size already present.Refer to the System requirements and Tuning Guide document for disk space.Exact disk space for the
archives to be stored once migrated can be calculated only with the log flow. |
| Network drives |
Local system account cannot be used. |
1. The network path should be accessible from the EventLog Analyzer machine using the service user account.2. Should have sufficient read and
write permissions for that service user account.3. No interruption in connectivity to the network share. |
| S3 Bucket |
Refer to the document
for configuration and pre-requisites. |
System requirements
Note: The values mentioned above are approximate and can vary depending on the size and flow of the logs.
Steps to migrate the old archive data
Note: This is applicable for EventLog Analyzer build greater than 12330.
Steps to change the location of the archives in the database
Here are steps to change the location of the archives in the database:
- If the newly created archives should be stored in the new location
Go to Settings > Admin Settings > Data Storage > Archives > Settings
Update the zip location to the new location. If it is required to be stored in the old location, then this step can be skipped. (Refer to Figure 1)
Figure 1: Update archive location
- Manually move the old archives from the old location to the new location.
- Now the location has to be updated in the database for each archive. (Refer to Figure 2)
Go to Settings > Admin Settings > Data Storage > Archives > More in the top right corner Update path.
Figure 2: Archive data - Update paths
- Select the old archive location in the dropdown and enter the new location where the archives are moved.
- Once all the archive locations are updated, click on the Refresh icon in the top right corner to update the status of the archives. (Refer to Figure 3)
Figure 3: Update status of archives
Click here to expand
Download PDF