How to move and convert SLM event data partitions into Sentinel partitions

The event data from SLM needs to be moved to Sentinel.

1. Identify the event data partitions in SLM which need to be migrated to Sentinel.

For example: 

cd /var/opt/novell/sentinel_log_mgr/data/eventdata/ 

Event data partition directory : 20151106_5CD42980-666D-1033-BD26-005056A55734

2. Confirm the size of the partition, by running the following command:

du -sch <partition directory name in SLM>

For example:

  du -sch 20151106_5CD42980-666D-1033-BD26-005056A55734/

3. Create a new retention policy in Sentinel that is same as the retention policy used in SLM for the partition which needs to be migrated.

Navigate to "Storage" tab > "Event" and create the policy.

4. Note the UUID of the newly created policy in Sentinel from the database.

This can be done by connecting to the database from the console:

a. Switch the user to "novell" with command: su novell

b. Run the command:
/opt/novell/sentinel/bin/./db.sh sql SIEM dbauser "select config_id from md_config where application = 'INDEXED_LOG' and data like '%<Policy name in Sentinel>%';"

For example: 

/opt/novell/sentinel/bin/db.sh sql SIEM dbauser "select config_id from md_config where application = 'INDEXED_LOG' and data like '%Syslog Event%';"

Where,
Table name: md_config
UUID column name: config_id
Policy name: Syslog Event
Application: INDEXED_LOG

Result returned will be the UUID of the policy "Syslog Event":

For example:

config_id
--------------------------------------
89225BA0-68D0-1033-AC16-0050568E1E45
(1 row)

NOTE:
If the SLM policy is "Default Data Retention" whose event data is to be migrated to Sentinel, then the policy name in Sentinel will be "default".

Command to get UUID for "Default Data Retention" policy:

a. Switch the user to "novell" with command: su novell

b. Run the below command:

/opt/novell/sentinel/bin/db.sh sql SIEM dbauser "select config_id from md_config where application = 'INDEXED_LOG' and data like '%default%';"

Result returned will be the UUID of the "Default Data Retention" policy:
For example:
config_id
--------------------------------------
408e7e50-c02e-4325-b7c5-2b9fe4853476
(1 row)

5. Copy the event data from SLM which belongs to the above-mentioned SLM retention policy to the /var/opt/novell/sentinel/data/eventdata/events directory in Sentinel by running the following command:

scp -r <partition directory name> root@<Sentinel machine IP>:/<location to which SLM event data to be copied in Sentinel>

For example:

scp -r 20151106_5CD42980-666D-1033-BD26-005056A55734/ root@1.2.3.4:/var/opt/novell/sentinel/data/eventdata/events/

Confirm that the entire partition data is copied completely, by running the following commands in Sentinel:
cd /var/opt/novell/sentinel/data/eventdata/events/
du -sch <partition directory name of SLM in Sentinel>

For example: du -sch 20151106_5CD42980-666D-1033-BD26-005056A55734/

Both the results of step 5 and step 2 should match.

6. In Sentinel, rename the partition directory name by replacing the SLM retention policy UUID to the newly created Sentinel retention policy UUID, keeping the dates intact, by running the following command:

mv <partition directory with SLM retention policy UUID> <partition directory with Sentinel retention policy UUID>

For example:

 mv 20151106_5CD42980-666D-1033-BD26-005056A55734/ 20151106_89225BA0-68D0-1033-AC16-0050568E1E45/

Note:

1. Ensure that the date in the renamed partition directory name in Sentinel is same as the date in the SLM partition directory name. In the above example, the date is "20151106".

2. Ensure that you retain both prefixed and suffixed dates in the partition directory name while renaming the directory, if they are present in the SLM partition directory name. 

   For example:

   If 20151106_5CD42980-666D-1033-BD26-005056A55734_20151106 is the SLM data partition which needs to be migrated to Sentinel, then the renaming of the directory will be 20151106_89225BA0-68D0-1033-AC16-0050568E1E45_20151106 in Sentinel, where "89225BA0-68D0-1033-AC16-0050568E1E45" is the UUID of newly created Sentinel retention policy. 

7. Perform the following steps for re-indexing

a. Backup and remove index directory from all the copied partition directories.

b. Re-index the event data with the help of following examples. Re-indexing time depends on the size of the partition directories.

Example:

 /opt/novell/sentinel/jdk/bin/java -classpath /opt/novell/sentinel/lib/ccsapp*.jar esecurity.ccs.comp.event.indexedlog.IndexedLogRebuild /var/opt/novell/sentinel/data/eventdata/events/20151106_89225BA0-68D0-1033-AC16-0050568E1E45/

c. Modify the partition directories owner to novell

Example: 

chown -R novell:novell 20151106_89225BA0-68D0-1033-AC16-0050568E1E45

d. Continue with "Step 8: Viewing Event Data Available for Restoration" to view the event data.

IMPORTANT: If the partition directories were created in fresh install of SLM 1.2.2 or later OR if the partition directories were created after the upgrade to SLM 1.2.2 or later, then re-indexing is not required. However, in case the data was not recovered during restoration without re-indexing, the re-indexing must be performed. 

a. Log in to the Sentinel Web interface as a user in the administrator role.

b. Click Storage > Event.

c. The Data Restoration section does not initially display any data

d. Click Find Data to search and display all event data partitions available for restoration.

e. The Data Restoration table chronologically lists all the event data that can be restored. The table displays the date of the event data, the name of event directory, and the location. The Location column indicates whether the event directory was found in the primary storage directory of Sentinel or in the configured secondary storage directory.

f. Continue with Restoring Event Data to restore the event data.

a. Select the check box in the Restore column next to the partition that you want to restore.

b. The Restore Data button is enabled when the Data Restoration section is populated with the re-store able data.

c. Click Restore Data to restore the selected partitions.

d. The selected events are moved to the Restored Data section. It might take approximately 30 seconds for the Restored Data section to reflect the restored event partitions.

e. (Optional) Click Refresh to search for more re-store able data.

f. To configure the restored event data to expire according to data retention policy, continue with Configuring Restored Event Data to Expire.

a. The restored partitions do not expire by default, according to any data retention policy checks. To enable the restored partitions to return to the normal state and also to allow them to expire according to the data retention policy, select Set to Expire for data that you want to expire according to the data retention policy, then click Apply.

b. The restored partitions that are set to expire are removed from the Restored Data table and returned to normal processing.

c. It might take about 30 seconds for the Restored Data table to reflect the changes.

d. Continue with Search Restored Events to find the restored event data

a. From Sentinel Web interface, click on New Search and add the appropriate filter to search Restored data.

b. Change the default Last 1 hour to Custom.

c. With the help of Custom option set the From and To dates to search the restored data.

d. Click on the Search to search the restored data.

e. Compare the search results in Sentinel with the search results in SLM.

Existing SLM customers want to move to Sentinel.

938596