Backing Up the Elasticsearch Data

If Intelligence is deployed in your platform, performing a Elasticsearch data backup will ensure you can restore the data in case there are any issues during the upgrade process. Follow the steps below to backup your data.

  1. Enable the search-manager

  2. Scale down logstash

  3. Elasticsearch data backup

  4. Verify the job status

Enable the search-manager

  1. Specify the following URL to log in to the OMT Management Portal: https://<CLUSTER FQDN>:5443.

  2. Select Deployment > Deployments.

  3. Click ... (Browse) on the far right and choose Reconfigure. A new page will be opened in a separate tab.

  4. Click Intelligence.

  5. Toggle the Enable Search Manager button under Upgrade Configurations.

Scale down logstash

Execute the following command from the bastion to scale down logstash:

kubectl -n $(kubectl get ns |awk '/arcsight/ {print $1}') scale statefulset interset-logstash --replicas=0

To ensure that the logstash pods have effectively been scaled down, run the following command:

kubectl -n $(kubectl get ns |awk '/arcsight/ {print $1}') get pods -A | grep logstash

Also verify no logstash pods are running.

Elasticsearch data backup

  1. Login with system-admin role to the interset UI https://<CLUSTER FQDN>/interset

  2. Click on the gear icon on the top right corner and select Search Manager.

  3. Click on the Job History list box.

  4. Select Submit a Job.

  5. Click on the Job type list box and select Snapshot.

  6. Enter 0 for the Customer to apply Snapshot to field.

  7. Click the SUBMIT JOB button.

Verify the job status

Go to the Job history page and check the Snapshot job ID status. Click the REFRESH button until the status becomes either COMPLETED_SUCCESS or COMPLETED_FAILED.

If the final status is COMPLETED_FAILED, execute this command:

kubectl logs  -n $(kubectl get ns |awk '/arcsight/ {print $1}')  elasticsearch-master-0 -c  elasticsearch | grep snapshot

The output of this command should include a [SUCCESS] message in the output. Repeat the command if the [SUCCESS] message does not appear.

Depending on the amount of data, it may take some time for the [SUCCESS] message to appear.

If still unsuccessful after multiple attempts, do not proceed with the upgrade procedure and reach out to customer support for help.

Output examples for successful attempts:

{"type": "server", "timestamp": "2022-12-07T15:07:13,016Z", "level": "INFO", "component": "o.e.s.SnapshotsService", "cluster.name": "interset", "node.name": "elasticsearch-master-0", "message": "snapshot [repository_0:snapshot_0_698fee7c-60f4-45e5-bfee-7c06e0f8c415/f5CXpkRpSx6ltB-mIS_TaA] started", "cluster.uuid": "0Kef4EV2RRaVPQiJHxQQiw", "node.id": "l6zdkuvgTvq1KZJJQmd-xA" }

{"type": "server", "timestamp": "2022-12-07T15:07:19,076Z", "level": "INFO", "component": "o.e.s.SnapshotsService", "cluster.name": "interset", "node.name": "elasticsearch-master-0", "message": "snapshot [repository_0:snapshot_0_698fee7c-60f4-45e5-bfee-7c06e0f8c415/f5CXpkRpSx6ltB-mIS_TaA] completed with state [SUCCESS]", "cluster.uuid": "0Kef4EV2RRaVPQiJHxQQiw", "node.id": "l6zdkuvgTvq1KZJJQmd-xA" }

If the snapshot job continues to remain in the Pending state for a prolonged period of time, restart the searchmanager-engine-xxxxxxxxxx-xxxxx pod.