Instructions for migrating your Cortex XSOAR Multi-tenant deployment to enable High Availability.
To migrate a multi-tenant deployment from BoltDB to Elasticsearch with High Availability, there are two steps. First, you use the Cortex XSOAR migration tool to migrate the databases. Then you set up additional app servers to achieve high availability.
Note
In a multi-tenant, high availability configuration, if you purge an Elasticsearch-based environment, Cortex XSOAR's lib directory is not deleted unless you pass the purge-mount flag to the installer or you agree to delete the lib directory by not passing the --y flag during the purge process.
Migration
The migration tool migrates Cortex XSOAR objects to an Elasticsearch database. When you run the migration tool, the contents of the Cortex XSOAR database are read, and a corresponding object is created in Elasticsearch. The migration tool is run from the main machine and each host machine. Migrate the main account on the main host, then the tenants on the main host, and then proceed to other hosts and tenant accounts. For complex environments with multiple host machines, we recommend migrating all tenants on a host before proceeding to the next host.
Note
You cannot run more than one migration tool process at a time.
When you run the migration tool, parameter values identified in the demisto.conf
file override values supplied for tool flags and default values. If no value exists in the demisto.conf
file, values supplied in the tool flags override default values, but do not write the values to the demisto.config
file. For example, if the db-path is identified in the configuration file, the tool will use the value in that file, not the value supplied or the default value, when running the tool.
If you are upgrading from Cortex XSOAR v6.0 to v6.5 and you have indicators and audits stored in Elasticsearch in Cortex XSOAR v6.0, upgrade from Cortex XSOAR v6.0 to v6.5 before the migration. Do NOT start the server. Then follow the migration instructions below.
Before you begin, ensure the following:
All app servers have network access to port 9200 for communication with Elasticsearch.
All app servers have network access to each other over port 443.
In the BoltDB, data related to incidents and indicators is stored by month in partitions. To minimize downtime during migration, we recommend creating a copy of the database and migrating data that is older than three months from the copied database. This enables you to continue to work in your current environment. When the initial migration completes, migrate the remaining months.
Copy the
demisto.lic
file from the/usr/local/demisto
directory on the main host to the/var/lib/demisto
directory.Add the following entry in the
demisto.conf
file:license.file.path:"/var/lib/demisto"
Follow the migration instructions for multi-tenant deployments.
If you used Elasticsearch to store indicators and audits in Cortex XSOAR v6.0 prior to upgrade, ensure the
demisto.conf
file is up-to-date with the Elasticsearch object before migration. To avoid overwriting indicators that might already exist in Elasticsearch, you must run the migration with the-objects-to-ignore "newInsights"
flag. If you already migrated audits in a previous version, you must run the migration with the-objects-to-ignore "newInsights, audits"
flag.
Migration Tool Flags
Flag | Type | Description | Required |
---|---|---|---|
| String | A comma-separated list of accounts to migrate. If not specified, all accounts are migrated. | Optional |
| String | The path to the configuration file for the server. Default: /etc/demisto.conf. | Optional |
| String | The path to the database directory. Default: /var/lib/demisto. | Optional |
| Integer | The number of indicators per batch to write to Elasticsearch indexes. Default: 700. | Optional |
| String | The index prefix used in Elasticsearch. | Optional |
| String | The API key to connect to Elasticsearch. | Required (unless a username and password are used) |
| String | The password to connect to Elasticsearch. | Required (unless API key is used) |
| String | The URL of your Elasticsearch environment. Default: http://localhost:9200. | Required |
| String | The username to connect to Elasticsearch. | Required (unless API key is used) |
| String | The path to the file with the IDs to ignore, per object. | Optional |
| String | The log level to display. Default: info. | Optional |
| String | The location of the log file.Default: /var/log/demisto/elastic_migration.log | Optional |
| Integer | Log individual failed items, either in a single meta file, or file per item failure. Values:
| Optional |
| true | By default, the Elasticsearch tool checks existing indexes and migrates only the ones that are new. Using this flag, the Elasticsearch tool migrates all indexes even if they currently exist. This is useful, for example, if there was an error or invalid data that was fixed. When used, the objects-to-migrate and objects-to-ignore flags are ignored. | Optional |
| String | Comma-separated list of objects not to migrate. When the migrate-all flag is used, this flag is ignored. | Optional |
| String | Comma-separated list of objects to migrate. When the migrate-all flag is used, this flag is ignored. | Optional |
| String | Comma-separated list of partitions to migrate. If no partitions are specified, all partitions are migrated. | Optional |
| String | Comma-separated list of partitions to exclude. | Optional |
| Show results of the previous migration. | Optional | |
| false | Existing indicators are not modified during the migration. | Optional |
| Integer | The maximum size, in megabytes, of objects that will be migrated to Elasticsearch. The default is 100 MB. | |
| Boolean | Retry the migration of large objects when re-running the migration tool. With this flag, the entire bucket that contains the skipped large object is migrated again, which may include data that was previously migrated. If new data has been added in Elasticsearch since the earlier migration, this data will be overwritten. | |
| Boolean | When the partitions flag is used, the | |
| Integer | Provides an option to migrate X number of partitions back. For example, migrating 3 partitions back migrates the current month and the previous two months. If set to 0 or not used, all partitions are migrated. | |
| Boolean | Can only be used with the partitions-back flag. Migrates all partitions other than the most recent partitions specified with partitions-back. For example, | |
| Prints the migration tool version. | Optional | |
| false | Answers yes to all questions, unless there is an error. | Optional |
High Availability - Main Host
The main account cannot be High Availability if it has tenant accounts. Move any tenant accounts from the main host to another host before proceeding.
Edit the
demisto.conf
file to set the app server’s hostname:Under the Server object, set the value of the
inClusterHostname
parameter to the desired hostname. The hostname should be the internal address used for communication with the other app servers.(Optional) Apply a certificate.
(Optional) Install additional app servers.
Verify that the clocks on the app servers are synchronized with an NTP server.
High Availability - Hosts
Add hosts to a HA group:
Note
All hosts in the HA Group must have the same hardware specifications.
When working in a high availability configuration, you must mount
/var/lib/demisto/
on a shared file system, to allow application servers to share files such as license, artifacts, and attachments. When migrating an existing file system to a shared file system, move the/var/lib/demisto
folder without the/var/lib/demisto/temp
subdirectory to the shared directory. If you are using a location that is different from the default/var/lib/demisto
, you must install the additional hosts using the-data-dir
flag. For the existing host, follow instructions to Move Data Folders to Another Location on the Server.The
temp
directory must be local and not shared. To change the location of thetemp
directory, edit thefolders.temp
key in thedemisto.conf
file for the host and also edit thefolders.temp
key for each tenant on each host. The tenant conf file can be found at/usr/local/demisto/tenants/acc_{
.tenant_name
}/server.confIn the Main host, navigate to the Hosts page, under
→ . A list of all of the hosts, including those you have migrated, will be displayed.Select the Host for which you want to create an HA group and click Make Host Highly Available.
In the window that appears, click Download Host Installer.
Use this dedicated installer for installing additional hosts to this HA group. The new hosts will automatically be configured to connect to the relevant Elasticsearch index.
Purge an Elasticsearch Environment
In an multi-tenant, high availability configuration, if you purge an Elasticsearch-based environment, Cortex XSOAR's lib directory is not deleted unless you pass the purge-mount
flag to the installer or you agree to delete the lib directory by not passing the --y
flag during the purge process.