Move EventLog Analyzer installation to another machine

If you're planning to migrate EventLog Analyzer to a different server, possible data loss could be a major concern. This document will provide the steps to migrate your EventLog Analyzer installation to a different server without the loss of any data.

Below are the two variants of EventLog Analyzer setup with three different scenarios.

1. Integrated with Log360
• Only EventLog Analyzer is moved
• EventLog Analyzer is moved with Log360
2. Not integrated with Log360

Move EventLog Analyzer installation to another machine: Integrated with Log360 - Only EventLog Analyzer is moved

If you are planning to move EventLog Analyzer to another server and if EventLog Analyzer is integrated with Log360, please follow the below step-by-step instructions.

Pre-requisites:

• Refer to the System Requirements to plan the new server specification. The resource utilization is purely based on the log flow in your environment.
• Refer to EventLog Analyzer - Prerequisites to know the ports to be enabled.
• Do not delete the previous installation until you ensure the migration is successful. Verify the migration by checking the log collection for at least 30 minutes.

Steps for migration

1. As you are moving only EventLog Analyzer to different server, integration with Log360 needs to be removed first. You have to integrate EventLog Analyzer with Log360 again, after moving it to a different server.

   To remove EventLog Analyzer integration from Log360

   • Go to Log360 Overview → Admin → Log360 integration. There will be eight tabs visible, each of which represents an individual Log360 component.
   • Click on EventLog Analyzer tab.
   • Enter the Server Name or IP, along with the Port in which EventLog Analyzer is running.
   • Select the connection Protocol from the drop-down menu.
   
   • Click Remove to remove integration.
   Note: Upon removing integration, the log data from elasticsearch/ES/data folder will be moved to EventLog Analyzer/ES/data folder. The time required to move the data may vary depending on the data folder size and disk performance.
2. Once the integration is removed, stop the EventLog Analyzer service. (Start → Run → Type services.msc and press OK → Stop the service ManageEngine EventLog Analyzer)
Copy to Clipboard

sh configureAsService.sh -t

3. Ensure that the processes java.exe, postgres.exe, and SysEvtCol.exe are not running in the Task Manager.
Note: For Linux, ensure that the processes java, postgres, and SysEvtCol are not running.
4. Copy the entire <EventLog Analyzer Home> directory to the new server.
5. After EventLog Analyzer is moved, if new path is not the same as the previous path, path.data & path.repo in <EventLog Analyzer Home>\ES\config\elasticsearch.yml needs to be updated accordingly.

6. Open the Command Prompt as admin and set the path to <EventLog Analyzer Home>\bin and execute initPgsql.bat to set the permissions for the database.

   If you are using MS SQL server as your database and if it is running on a remote computer, download and install the SQL Native Client/ODBC Driver that is appropriate for the SQL Server version in the new Event Log Analyzer machine.

   More information on SQL Native Client/ODBC Driver is available here.

7. Since the service has not been installed on the new server, we have to install it manually. Open the Command Prompt as Admin and set the path to <EventLog Analyzer Home >\bin and execute the following command to install the EventLog Analyzer service.
   Copy to Clipboard

   service.bat -i


8. The service will now be installed. Try starting the service and open EventLog Analyzer with your browser to log in.
9. EventLog Analyzer archive path has to be modified. Access the UI and navigate to Settings → Admin Settings → Manage Archives → Settings → Archive Location.

   If the new path is not the same as the old path, please Update the path and Review archive the file integrity.

10. As we have removed the integration, we need to re-integrate EventLog Analyzer with Log360.

To integrate EventLog Analyzer to Log360

• Go to Log360 Overview → Admin → Log360 integration. There will be eight tabs visible, each of which represents an individual Log360 component.

• Click on EventLog Analyzer tab
• Enter the server's name or IP address, along with the Port number, in which that specific component is running.
• Select the connection Protocol from the drop down menu
• Default credentials should be updated under Authentication as we are performing remote integration of EventLog Analyzer with Log360.

This completes the migration process.

Post-migration steps:

• If you have enabled log forwarding from any Linux, Unix, router, switch, firewall, or syslog devices to EventLog Analyzer, you would need to re-point them to the new server.
• If an agent has been configured for any device, check if it has been modified appropriately.

Move EventLog Analyzer installation to another machine: Integrated with Log360 - EventLog Analyzer is moved with Log360

If you are planning to move the EventLog Analyzer to another server and if EventLog Analyzer is integrated with Log360. Please follow the below step by step instructions.

Pre-requisites:

• Ensure to refer to System Requirement to plan the new server specification. Please be informed the resource utilization is purely based on the logs flow in your environment.
• Ensure to refer to EventLog Analyzer - Prerequisites and to know the ports to be enabled.
• Do not delete the previous installation until you ensure the migration is successful. Verify the migration by checking the log collection for atleast 30 minutes.
• Ensure that all the child components are integrated with the correct instance details in Log360 - Integration Settings post migration.

Steps to Migrate:

1. Stop Log360 and EventLog Analyzer service is services.msc
2. Shutdown common ES.
   • Open Command Prompt as the Administrator in <ManageEngine>\elasticsearch\ES\bin
   • Run stopES.bat
3. Ensure no process is from Log360, EventLog Analyzer and elasticsearch is running in background.
4. As both Log360 & EventLog Analyzer are being moved, the integration need not be removed. However, you would need to copy the following folders to new server,
   • <ManageEngine Home>\EventLog Analyzer folder
   • <ManageEngine Home>\elasticsearch
   • <ManageEngine Home>\Log360
5. After Log360 & elasticsearch folders are moved along with EventLog Analyzer, if new path is not the same as the previous path, path.data & path.repo in <ManageEngine Home>\elasticsearch\ES\config\elasticsearch.yml needs to be updated.


path.data in <EventLog Analyzer Home>\ES\config\elasticsearch.yml needs to be updated as well.

6. Open the command prompt as Admin and set the path to <EventLog Analyzer Home>\bin and execute initPgsql.bat to set the permissions for the database.
   Note: For Linux, initPgsql.sh has to be executed.

   If you are using MS SQL server as your database and if it is running on a remote computer, download and install the SQL Native Client/ODBC Driver that is appropriate for the SQL Server version in the new Event Log Analyzer machine.

   More information on SQL Native Client/ODBC Driver is available here

   For Log360 SQL database re-configuration, visit Log360 - Database Migration.

7. Since the service has not been installed in the new server, we have to install it manually for both EventLog Analyzer and Log360.

   Open the Command Prompt as admin set the path to <EventLog Analyzer Home >\bin and execute the following command to install the EventLog Analyzer service.

   Copy to Clipboard

   service.bat -i

   Set the path to <Log360 Home>\bin and execute InstallNTService.bat to install Log360 as service.

8. The service will now be installed. Try starting the service and open Log360 in your browser to log in.
9. EventLog Analyzer archive path has to be modified. Access the EventLog Analyzer UI and navigate to Settings → Admin Settings → Manage Archives → Settings → Archive Location.

   If the new path is not the same as old path, please Update the path and Review the file integrity.

10. From Log360 UI, Navigate to Admin >> Administration >> Log360 Integration and choose EventLog Analyzer to verify if the details are correct.

Now the Migration has been completed.

Post migration steps:

• If you have enabled log forwarding from any Linux, Unix, router, switch, firewall, or syslog devices to EventLog Analyzer, you would need to re-point them to the new server.
• If an agent has been configured for any device, check if it has been modified appropriately.

Move EventLog Analyzer installation to another machine: Not integrated with Log360

If you are planning to move the EventLog Analyzer to another server and if EventLog Analyzer is a standalone edition (not integrated with Log360), please follow the below step by step instructions.

• Ensure to refer to System Requirement to plan the new server specification. Please be informed the resource utilization is purely based on the logs flow in your environment.
• Ensure to refer to EventLog Analyzer - Prerequisites and to know the ports to be enabled.

Steps to migrate:

1. Stop the EventLog Analyzer service. (Start → Run → Type services.msc and press OK → Stop the service ManageEngine EventLog Analyzer)
Copy to Clipboard

sh configureAsService.sh -t

2. Open Command Prompt as Admin and set the path to <EventLog Analyzer Home>/bin directory. Execute shutdown.bat, stopDB.bat and stopSEC.bat to stop the product from installation directory.

   Ensure that the processes java.exe, postgres.exe, and SysEvtCol.exe are not running in the task manager.

   Note: For Linux, Ensure that the processes java, postgres, and SysEvtCol are not running. Execute shutdown.sh, stopDB.sh and stopSEC.sh from EventLog Analyzer/bin directory to stop the product from installation directory.
3. Copy the entire <EventLog Analyzer Home> directory to the new server.
4. After EventLog Analyzer is moved, if new path is not the same as the previous path, path.data & path.repo in <EventLog Analyzer Home>\ES\config\elasticsearch.yml needs to be updated accordingly.

5. Open the command prompt as admin and set the path to <EventLog Analyzer Home>\bin and execute initPgsql.bat to set the permissions for the database.

   If you are using MS SQL server as your database and if it is running on a remote computer, download and install the SQL Native Client/ODBC Driver that is appropriate for the SQL Server version in the new Event Log Analyzer machine.

   More information on SQL Native Client/ODBC Driver is available here

6. Since the service has not been installed in the new server, we have to install it manually. Open the Command Prompt as Admin and set the path to <EventLog Analyzer Home >\bin and execute the following command to install the EventLog Analyzer service.
   Copy to Clipboard

   service.bat -i

   
7. The service will now be installed. Try starting the service and open EventLog Analyzer with your browser to log in.
8. EventLog Analyzer archive path has to be modified. Access the UI and navigate to Settings → Admin Settings → Manage Archives → Settings → Archive Location.

If the new path is not the same as the old path, please Update the path and Review the file integrity.

The migration is now completed.

Post migration steps:

• If you have enabled log forwarding from any Linux, Unix, router, switch, firewall, or syslog devices to EventLog Analyzer, you would need to re-point them to the new server.
• If an agent has been configured for any device, check if it has been modified appropriately.

For windows builds on and above 12336(ELA) and 5345(Log360)

For secure install we need to invoke <ProductHome>\bin\setAppPermission.bat on addition with initPgsql.bat