Migrate Cortex XSOAR objects to Elasticsearch from a distributed database environment.
You should migrate Cortex XSOAR objects to Elasticsearch if you plan to ingest a large amount of objects.
When you run the migration tool, the contents of the Cortex XSOAR database are read, and a corresponding object is created in Elasticsearch. The migration tool is run from the main database machine and from each database node.
In the BoltDB, data related to incidents and indicators is stored in partitions by month. To minimize downtime during the migration, we recommend you create a copy of the database, then migrate data that is older than three months from the copy, while continuing to work in your current environment. Once the initial migration is completed, you should then migrate the last three months.
All commands are run from the Cortex XSOAR server machine.
To migrate your data, use the migration tool. You cannot run more than one migration tool process at a time.
Note
Always migrate older data before newer data. Migrating partitions out of order can cause duplicate incident ids.
By default, the migration tool skips over objects larger than 100 megabytes. After the migration process runs, you can view the skipped large objects and determine whether to migrate them. For more information, see Validate the Migration to Elasticsearch.
For the main database, copy the Cortex XSOAR database either by taking a snapshot OR manually create a copy of the
/var/lib/demisto/data
directory and thedemisto.conf
file. Then follow the same procedure for each node.Download the migration tool by appending
downloadName=elasticsearch_migration_tool_6_x_x
to the end of the download link that you received, when installing Cortex XSOAR. ReplaceX_X
with the version number.Copy your database and migrate data from the copy database to Elasticsearch.
It is recommended to copy your data up to the last three months, without any downtime. If you do not want to do this, go to step 4.
Copy the Cortex XSOAR database by doing one of the following:
Take a snapshot of the database.
Manually create a copy of the
/var/lib/demisto/data
directory.
Copy the
demisto.conf
file.Edit the copy of the
demisto.conf
file, by adding your Elasticsearch configuration.Ensure that the same Elasticsearch object exists in the
demisto.conf
on the app server and the main database and hatelasticsearch
is the top-level object in thedemisto.config
file (within the main curly brackets).Edit the copies of
demisto.conf
for the main database and for each node to add your Elasticsearch configuration.For the main database and for each node, using
demisto
orsudo
permissions, run the following command:sudo ./elasticMigrator -config-path
<file path-of-copy-of-demisto.conf>
-db-path<path-of-the-copy-of-the-demisto-database>
-<flags>
For a full list of the flags, see Migration Tool Flags. For example, to exclude the last 3 partitions from the migration, add the
-only-old-partitions
and-partitions-back
flags:sudo ./elasticMigrator -config-path /usr/local/dev/copy_of_demisto.conf -db-path /usr/local/dev/lib_demisto_copy/data -only-old-partitions -partitions-back 3
When you run the migration tool, parameter values specified in the
demisto.conf
file override values supplied for tool flags and default values. If no value exists in thedemisto.conf
file, values supplied in the tool flags override default values, but do not write the values to thedemisto.config
file.Complete steps 1 to 3 in Validate the migration.
After the migration of the data is complete and validated, migrate your remaining data from the active database to Elasticsearch.
Create a backup copy of the
demisto.conf
file for your active database.Edit the original
demisto.conf
file (not a copy) for the main database and for each node to add your Elasticsearch configuration. Ensure that the same Elasticsearch object exists in thedemisto.conf
on the app server and the main database.For the main database and for each node, stop the Cortex XSOAR server.
Ubuntu:
sudo service demisto stop
For the main database and for each node, run the
sudo ./elasticMigrator
command with either demisto or sudo permissions. Use thepartitions-back
flag to specify the remaining partitions.For example,
sudo ./elasticMigrator -partitions-back 3
migrates the last three partitions, which would include the current month and the previous two months, as well as the main partition.Validate the migration (all steps).
Migration Tool Flags
Flag | Type | Description | Required |
---|---|---|---|
| String | A comma-separated list of accounts to migrate. If not specified, all accounts are migrated. | Optional |
| String | The path to the configuration file for the server. Default: | Optional |
| String | The path to the database directory. Default: | Optional |
| Integer | The number of indicators per batch to write to Elasticsearch indices. Default: | Optional |
| String | The index prefix used in Elasticsearch. | Optional |
| String | The API key to connect to Elasticsearch. | Required (unless a username and password are used) |
| String | The password to connect to Elasticsearch. | Required (unless API key is used) |
| String | The URL of your Elasticsearch environment. Default: | Required |
| String | The username to connect to Elasticsearch. | Required (unless API key is used) |
| String | The path to the file with the IDs to ignore, per object. | Optional |
| String | The log level to display. Default: | Optional |
| String | The location of the log file. Default: | Optional |
| Integer | Log individual failed items, either in a single meta file, or file per item failure. Values:
| Optional |
| Boolean | By default, the Elasticsearch tool checks existing indices and migrates only the ones that are new. Using this flag, the Elasticsearch tool migrates all indices even if they currently exist. This is useful, for example, if there was an error or invalid data that was fixed. When used, the
| Optional |
| String | Comma-separated list of objects not to migrate. When the | Optional |
| String | Comma-separated list of objects to migrate. When the | Optional |
| String | Comma-separated list of partitions to exclude. | Optional |
| String | Comma-separated list of partitions to migrate. If no partitions are specified, all partitions are migrated. | Optional |
| N/a | Show results of the previous migration. | Optional |
| Boolean | Existing indicators are not modified during the migration. Values:
| Optional |
| Integer | The maximum size, in megabytes, of objects that will be migrated to Elasticsearch. The default is 100 MB. | |
| Boolean | Retry the migration of large objects when rerunning the migration tool. With this flag, the entire bucket that contains the skipped large object is migrated again, which may include data that was previously migrated. If new data has been added in Elasticsearch since the earlier migration, this data will be overwritten. | |
| Boolean | When the partitions flag is used, the | |
| Integer | Provides an option to migrate X number of partitions back. For example, migrating three partitions back migrates the current month and the previous two months. If set to 0 or not used, all partitions are migrated. | |
| Boolean | Can only be used with the | |
| N/a | Prints the migration tool version. | Optional |
| N/a | Answers yes to all questions, unless there is an error. | Optional |