Reindex a Specific Index for a Tenant - Multi-Tenant Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Multi-Tenant Guide

Product
Cortex XSOAR
Version
6.6
Creation date
2022-09-29
Last date published
2023-06-08
End_of_Life
EoL
Category
Multi-Tenant Guide

In some cases, you might need to reindex a specific index database for a tenant, if you encounter incorrect or partial data in Cortex XSOAR. Reindexing processes all data for that index database and ensures it is fully available for searches in the Cortex XSOAR UI. If issues are appearing related to multiple indexes, you can reindex more than one index database at a time or reindex the entire database. We recommend consulting with Cortex XSOAR support before reindexing.

Note

Depending on the volume of the data in the system, it may take some time for the indexing to complete. Reindexing a tenant requires machine resources and might have a temporary impact on the performance of other tenants.

  1. Stop the tenant process.

    Go to SettingsAccount ManagementAccounts , select the tenant account, and click Stop. Click Stop again to confirm.

  2. Backup the index directory.

    tar -czvf /tmp/<TenantName>_index_bkp.tar.gz /var/lib/demisto/tenants/acc_<TenantName>/data/demistoidx

    The example command above uses the tmp directory. Any directory can be used, but the backup should not be stored under /var/lib/demisto.

  3. Select the tenant account in the UI and click Start.

  4. In Additional arguments for tenant start, add the following argument: -restore-index-name=indexName, and click Start.

    To reindex multiple indexes, use a comma separated list of index names for indexName.

  5. View the tenant server.log.

    Status code 433 indicates that the database is being reindexed. Example: 2022-09-27 14:55:58.7146 info [GET] "/health" 433 60.463µs, message-id: cb0cce4d-cb6d-48d4-8b3b-82b61804942b (source: /builds/GOPATH/src/code.pan.run/xsoar/server/web/middleware.go:79)

    When new 433 statuses no longer appear in the log, the tenant is reindexed.

  6. From the server terminal, set permissions.

    sudo chown -R demisto:demisto /var/lib/demisto/tenants/acc_{TENANT_NAME}/data