Sequential-access storage (such as tape) is a cost effective storage mechanism to store large amount of data. Sentinel Log Manager does not support interfacing with the data stored on tape directly, as it requires the data to be on a storage system that supports random access, such as data on your typical hard drive.
The high level approach is to configure Sentinel Log Manager to retain data for longer duration to perform searches and run report on the data you regularly need to access and to copy data to tape before Sentinel Log Manager deletes it. To search or run report on data that was copied to tape, but deleted from Sentinel Log Manager, copy the data from tape back into Sentinel Log Manager to include the newly recovered data in its search results.
This section describes how to use tape or any other storage mechanism that Sentinel Log Manager does not support.
There are two types of data in Sentinel Log Manager:
Raw data are the unprocessed events that are received by the connector and sent directly to the Sentinel Log Manager message bus and then written to the disk on the Sentinel Log Manager server. Raw data retention comes under legal requirements. Raw data cannot be searched or reported on, because it is not processed or indexed.
Event data is generated by a collector after processing the raw data. Event data is indexed for searching and can be searched and reported on. Although this data is not usually included in the legal requirements, it is often important to retain, because it makes the data search easier.
If you want to store raw data to comply with legal requirements and are not concerned to search or run report on that data at a later time, you can just copy the raw data to tape. However, if you want to perform search or report on the data, you should copy both the raw data and the event data to tape so that you can later recopy both sets of data back into Sentinel Log Manager.
You can also search the raw data directly by using tools such as egrep or a text editor, but this search may not be sufficient for your requirements. The search mechanism provided by Sentinel Log Manager on event data is much more powerful than these tools.
Sentinel Log Manager provides following backup options:
Configuration data: This option includes non-event or raw data backup. It is faster because it contains a small amount of data, including all the directories in the installation except the data directory.
Data: This option takes longer because it involves backing up all the data in the data and archive directories.
NOTE:Archive directories can be located on a remote machine.
Events should be archived regularly.
You should periodically export all the ESM configurations and save them. When the environment is relatively stable, you can generate a full ESM export including the entire tree of the ESM components. This action captures the plug-ins as well as the configuration of each node. The resulting .zip file should be backed up and archived as a normal file.
If changes such as updating plug-ins or adding nodes are made to ESM later, you must export the configuration and save it again.
Back up the entire installation directory, instead of particular sections, so there is no risk of manual mistakes and the process is quicker.
Sentinel Log Manager allows you to configure local and archive storage space size to store data, before it deletes the data from the Sentinel Log Manager server. Use these size limits to ensure that your storage system is not 100% utilized, which might result in undesirable behaviors such as data corruption. Additionally, you should also leave extra space in your archive storage so that at a later time you can copy data from tape back into Sentinel Log Manager. By decreasing the archive utilization setting, Sentinel Log Manager creates space to copy data back from tape.
Sentinel Log Manager allows you to configure the duration to keep the data on disk before it deletes the data. If your hard drive storage space is not sufficient to store data long enough to meet your legal requirements, you can use tape storage mechanism to store the data beyond the specified data retention duration. Therefore, retention policies should be configured long enough to make sure the data you want to regularly search and to report on is retained within Sentinel Log Manger, for example the most recent 90 days worth of data. Additionally, retention policy should ensure that Sentinel Log Manager is not prematurely deleting the data due to storage utilization limits. If the storage utilization limit exceeds and data is prematurely being deleted, you should change the policy to expand the data storage space.
Depending on what data you need to retain for long term, you need to setup a process to copy raw and/or event data to tape. The following section discusses how each type of data is stored in Sentinel Log Manager so that you can setup copy operations to copy the data out of Sentinel Log Manager onto tape.
Raw data partitions are individual files. They are created every hour, and are closed within 10 minutes after the elapsed time. When a raw data file is closed, it is renamed to identify as the closed file. Files in the open state have a .open extension. When they are closed, they will be renamed to have a .log extension. Sometime after they are closed, they will be compressed and will then have a .zip extension. After being compressed, they are moved to archive storage and are no longer present in the local storage.
The directory hierarchy in which the raw data files are placed is organized by the event source and the date of the raw data. You can use this hierarchy to periodically copy a batch of raw data files to tape. For more information on raw data directory hierarchy, see Table 3-1, Raw Data Directory Structure.
You should wait until raw data files have been compressed and moved to archive storage before copying them to tape. Make sure that they are not in the process of being compressed or copied when you copy them to tape (if there is still a .log file of the same name, it is likely that the .zip file is still being created). At the same time, the raw data files must be copied before the Sentinel Log Manager Raw Data Retention Policy expires so that you avoid losing the data.
Event data partitions are created every 24 hours, but they are not closed for roughly 48 hours (in case some data arrives late). Event data is stored in the data/eventdata directory with subdirectory names prefixed with the year, month, and day when the partition was created (yyyymmdd). For example, the path to a complete event data partitions, relative to the installation directory, is data/eventdata/20090101_408E7E50-C02E-4325-B7C5-2B9FE4853476. You can use this hierarchy to know when a partition is closed and subdirectories whose date is at least 48 hours old should be in the closed state.
For more information on event data directory hierarchy, see Table 3-3, Event Data Directory Structure.
You should wait until event data partitions have been copied to archive storage before copying them to tape. Before you copy, make sure that the directory is not currently being copied from local storage. To do this, see if there is a local storage directory partition of the same name. If the corresponding local storage directory partition is not present, the archive directory partition is not being copied. If the corresponding local storage directory partition is still present, make sure that all of the files in the local storage directory partition are also in the archive directory partition and that they are all of the same size. If they are all present and of the same size, it is highly likely that they are not currently being copied.
This section discusses how to restore data that was deleted from Sentinel Log Manager due to the data retention time elapsed, but backed up to tape.
NOTE:Current version of Sentinel Log Manager does not fully support restoring deleted data partitions. As a result, you will find that after restoring the partition and updating the database to reactivate the partition, Sentinel Log Manager will reapply the retention policy to it the next time it runs the policy check tasks. The policy check tasks are executed on the following intervals:
For Raw Data: Every 1 hour policy check starts when the Sentinel Log Manager starts. This is configurable by setting the RawDataConsumer.fileSpanMinutes property in the config/server.xml file. However, the same property is used to determine the time range of the raw data files, so increasing this value will also increase the size of the raw data file. Due to the presence of two different time range, raw data files in your system may cause confusing behavior.
For Event Data: Once a day, at midnight UTC (GMT)
To restore raw data, copy the data from tape back into its original location (maintaining the original directory hierarchy). The Sentinel Log Manager database keeps track of what files were deleted, so you will need to update the entry in the database to inform it that this raw data file is no longer deleted. To do so, execute an UPDATE SQL command similar to the following for each raw data file you have restored:
UPDATE raw_data_files SET state = 'ARCHIVED' WHERE file_name = '/6D029DD0-7F53-102C-B23E-000C294414C6/2009-01/10-0100.zip'
Updating the database will allow you to view the raw data file in the list of raw data files under the > tab of the Sentinel Log Manager user interface.
Alternatively, as the raw data is a text file, you can extract and then read the extracted raw data by using a text file reader.
To restore event data, copy the data from tape back into its original location (maintaining the original directory hierarchy). The Sentinel Log Manager database keeps track of what event partitions were deleted, so you will need to update the entry in the database to inform it that this partition is no longer deleted. To do so, execute an UPDATE SQL command similar to the following for each event partition you've restored:
UPDATE ixlog_part SET state = 60 WHERE name = '20090811_408E7E50-C02E-4325-B7C5-2B9FE4853476'
Where, the value for name is the directory name for the partition.
NOTE:Updating the database will allow you to perform searches and run reports on the data in this event partition by using the Sentinel Log Manager user interface.
As stated earlier in the NOTE above, Sentinel Log Manager will again begin to manage the life cycle of that partition and will eventually delete it again based on the same criteria that it deleted it in the first place. You can get around this by creating an additional retention policy with a very long minimum retention period and then reassigning the partition to use the new retention policy, as follows:
UPDATE ixlog_part SET ret_pol_id = '6faa7ec0-7f73-102c-bd20-001676e4a757' WHERE name = '20090811_408E7E50-C02E-4325-B7C5-2B9FE4853476'
Where, the value for name is the directory name for the partition and the value for ret_pol_id is the id of the retention policy as listed in the md_config table.