When you restore data from a different Sentinel server, the following dashboards are not displayed: Alerts, Threat Hunting, and User Activities. To display these dashboards, you must configure your Sentinel server.
To restore dashboards:
Ensure that the time and timezone are same in both the source machine from where you take the backup and the destination machine where you restore the data.
Login to the Sentinel server where you want to restore data as a root user.
Configure the /opt/novell/sentinel/3rdparty/elasticsearch/config/elasticsearch.yml file.
Set the network.host to <IP address of the Sentinel server>.
Restart the Sentinel Server.
Delete the security.events.normalized_* index index pattern from Sentinel:
Login to Sentinel.
Open an affected dashboard.
Click Management > Index Patterns.
Delete security.events.normalized_*.
Click Remove index pattern.
Run the following command to delete the security.events.normalized_* index index from Elasticsearch:
curl -X DELETE {ES_IP}:9200/security.events.normalized_*
Re-create the index pattern:
Go to cd opt/novell/sentinel/bin.
Run the following command to apply mapping template on events index on the Elasticsearch:
./elasticsearch_index_template.sh {ES_IP} 9200 security.events.normalized_* <Number of Shards> <Number of Replicas>
Run the following command to re-create the index pattern:
./create_kibana_index_pattern.sh {ES_IP:9200} security.events.normalized_*