Click here to expand

    Archive

    The log files processed by EventLog Analyzer are archived periodically for internal, forensic, and compliance audits. You can configure the following as per your requirements:

    • Archiving interval
    • Type of logs that need to be archived
    • Storage location of the archived files
    • Retention period

    The archived files can be encrypted and time-stamped to make them secure and tamper-proof.

    How to view archived logs ?

    To view your archives, in the Settings tab of EventLog Analyzer, navigate to Admin Settings > Manage Archives.

    The Archived Logs page loads and it provides information on:

    • List of devices from which the logs are being collected
    • Device type (Format)
    • The time frame ('From' and 'To') denotes the time period during which the logs are collected by EventLog Analyzer and stored in an archive file
    • Size of the archived log data from each of the devices
    • Integrity column indicates whether the archived logs are intact or have been tampered with. The integrity of the archived files is denoted by four states:
      1. Verified - Archived logs are intact.
      2. Archive file is missing - When the flat file is not found during the compression/zipping process.
      3. Archive file not found - When an archive file is not found in the location where it is stored in the DB.
      4. Archive file is tampered - When the original archive file is edited/some part of the file is deleted externally. In case a file has been deleted or tampered with, an email notification will be sent immediately and the message "Archive file is tampered" will be displayed on the screen.
    • Status of the archival is indicated by four different states:
      1. Loaded - The archived files are already loaded to the database. Click 'View' to view the archive file
      2. Data already available - If the archive file is in Elastic Search database
      3. Data partially available - If some of the archive data is in ElasticSearch database
      4. Not Loaded - If the archive file is not in ElasticSearch database.

    How to view a specific archival file?

    To view a specific archival file, click on the check box corresponding to the device.

    You can also view the archived log files that are created during a specific time period. To do so, click on the calendar icon on the top right corner of the page and specify the desired time period.

    How to filter and view a set of archive files?

    If you want to view a set of files based on the size or status of the archive data, you can do so by clicking on the filter icon    next to Size or Status and setting the appropriate values. The files will be filtered based on the given values.

    How to sort the list of archive files?

    By clicking on the drop down icon    next to Devices/From/To, you can sort the list in ascending order. It will be sorted on the basis of the respective column values. By clicking again, you can sort the list in descending order.

    How to load archive files?

    To load your archived files, in the Settings tab of EventLog Analyzer, navigate to Admin Settings > Manage Archives.

    1. Check the status of the archived file corresponding to the device. If it is Not Loaded, click the Load Archive button to load the file to the database and search the logs.
    2. Once the status of the file changes to Loaded, click on the corresponding View button.

    Note: To drop a file, select the file and click on the Unload Archive button.

    Note: If the status of the file says "Data partially available" and if you proceed to load the archive, there could be a duplication of the data.

    How to delete archive files ?

    To delete your archived files, in the Settings tab of EventLog Analyzer, navigate to Admin Settings > Manage Archives.

    1. Select the archived file(s) by selecting the respective check box(es).
    2. Delete the archived file(s) by clicking on the Delete icon  .

    How to configure archive settings?

    To configure archival settings,

    Click on Settings link at the top right corner of the screen.

    Configure the archive interval, retention period, option to encrypt, time-stamp of the archive files, location to save the archive files and location to save the index files in this screen.

    Note: The Archive and Database storage are asynchronus operations. These operations are unrelated.

    1. Ensure that archiving is enabled. By default, it is enabled. Unselect the toggle button to disable archiving.
    2. To secure the archive files, enable encryption of the files. By default, it will be disabled.
    3. Enter the Archive retention period for the archived files. The default period is Forever.
    4. Logs can be archived in two formats; “Raw Logs with Parsed Fields” and “Raw Logs”. "Raw Logs with Parsed Fields" will be stored with the metadata and "Raw Logs" will be stored without metadata. The storage space for Raw Logs will be lesser but only basic reports can be generated using this data.
    5. Enter the storage location for the archived files in the Archive Location box. Click on "Verify Location" to validate the location.
    6. Enter the Notification Email Address. Notification emails regarding file integrity will be sent to the specified email ID(s). For multiple email IDs, use commas in-between.
    7. Enter the log retention period for the loaded archive files. The default period is 7 days.
    8. Click on Advanced . Enter the values for the following three parameters that is displayed on the screen:
      1. Choose the required time interval for file creation. The logs are written to flat files at the specified time period. The default value is 8 hours.
      2. Choose the required time interval for creating a zip file.The flat files are compressed (20:1 ratio) and zip files are created at the specified time period. The default value is 1 day.
      3. Enable Archive Timestamping if required. By default, it is disabled.
    9. Save the settings and close the window. For instant archiving, click the Zip now button next to Zip Creational Interval.

    Steps to move EventLog Analyzer's Elasticsearch indices to a new location

    Note:

    ES\repo folder contains temporary files for ES archives

    ES\data folder contains data

    ES\archive folder contains ES archives

    ES\repo, ES\data and ES\archive should never point to the same folder

    Examples:

    For remote network path use the following format:

    • path.data : ["//remote machine name/shared folder/data"]
    • path.repo : ["//remote machine name/shared folder/repo"]

    For windows local storage use the following format:

    • path.data : ["C:\\ManageEngine\\EventLog Analyzer\\ES\\data"]
    • path.repo : ["C:\\ManageEngine\\EventLog Analyzer\\ES\\repo"]

    For linux local storage use the following format:

    • path.data : ["/opt/ManageEngine/EventLog Analyzer/ES/data"]
    • path.repo : ["/opt/ManageEngine/EventLog Analyzer/ES/repo"]

    Case 1: EventLog Analyzer as a standalone setup (Not integrated with Log360)

    1. Shutdown EventLog Analyzer.
    2. Navigate to <Eventlog home>\ES\config\elasticsearch.yml, update path.data to include the new location and save the file.
    3. Move the files from <ManageEngine>\<Eventlog>\ES\data folder to the new location.

    Case 2: EventLog Analyzer is integrated into Log360 and is installed with Log360 installer (Bundled):

    In this case, EventLog Analyzer uses a common ES that's shared with other modules

    Note:

    With Log360, the integrated module will have only one ES and it can be located in the Admin > Administration and Search Engine Management page. By clicking on details we can see that it is running from <ManageEngine>\elasticsearch\ES folder.

    1. Shutdown EventLog Analyzer and Log360.
    2. Shutdown common ES.
      1. Open Command Prompt as the Administrator in <ManageEngine>\elasticsearch\ES\bin
      2. Run stopES.bat
    3. Navigate to <ManageEngine>\elasticsearch\ES\config\elasticsearch.yml, update path.data to include the new location and save the file.
    4. Move the files from <ManageEngine>\elasticsearch\ES\data folder to the new location.

    Case 3: EventLog Analyzer is manually integrated into Log360:

    In this case, EventLog Analyzer will be using its existing (before integration) local and the common ES (after integration with Log360).

    Note:

    By default, the integrated module will have two ES and it can be located in the Admin > Administration and Search Engine Management page. By clicking on details we can see that one is running from EventLog Analyzer, <Eventlog home>\ES folder and other from <ManageEngine>\elasticsearch\ES folder.

    1. Shutdown EventLog Analyzer and Log360.
    2. Shutdown common ES.
      1. Open Command Prompt as the Administrator in <ManageEngine>\elasticsearch\ES\bin
      2. Run stopES.bat
    3. Navigate to <ManageEngine>\elasticsearch\ES\config\elasticsearch.yml, update path.data to include the new location and save the file.
    4. Move the files from <ManageEngine>\elasticsearch\ES\data folder to the new location.
    5. Navigate to <ManageEngine>\<Eventlog>\ES\config\elasticsearch.yml, update path.data to include the new location (different from the one given for common ES) and save the file.
    6. Move the files from <ManageEngine>\<Eventlog>\ES\data folder to the new location.

    Steps to move EventLog Analyzer's Elasticsearch data to a new location

    Note:

    ES\repo folder contains temporary files for ES archives

    ES\data folder contains data

    ES\archive folder contains ES archives

    ES\repo, ES\data and ES\archive should never point to the same folder

    Examples:

    For remote network path use the following format:

    • path.data : ["//remote machine name/shared folder/data"]
    • path.repo : ["//remote machine name/shared folder/repo"]

    For windows local storage use the following format:

    • path.data : ["C:\\ManageEngine\\EventLog Analyzer\\ES\\data"]
    • path.repo : ["C:\\ManageEngine\\EventLog Analyzer\\ES\\repo"]

    For linux local storage use the following format:

    • path.data : ["/opt/ManageEngine/EventLog Analyzer/ES/data"]
    • path.repo : ["/opt/ManageEngine/EventLog Analyzer/ES/repo"]

    Case 1: EventLog Analyzer as a standalone setup (Not integrated with Log360)

    1. Shutdown EventLog Analyzer.
    2. Navigate to <Eventlog home>\ES\config\elasticsearch.yml, update path.data to include the new data location and save the file.
    3. In <Eventlog home>\ES\config\elasticsearch.yml, update path.repo to include the new repository location (parallel to data directory) and save the file.
    4. Move the files from <ManageEngine>\<Eventlog>\ES\data folder to the new location.
    5. Create a folder with the name archive (parallel to the new data directory).
    6. Move the files from <ManageEngine>\<Eventlog>\ES\archive folder to the new folder named archive.

    Case 2: EventLog Analyzer is integrated into Log360 and is installed with Log360 installer (Bundled):

    In this case, EventLog Analyzer uses a common ES that's shared with other modules

    Note:

    With Log360, the integrated module will have only one ES and it can be located in the Admin > Administration and Search Engine Management page. By clicking on details we can see that it is running from <ManageEngine>\elasticsearch\ES folder.

    1. Shutdown EventLog Analyzer and Log360.
    2. Shutdown common ES.
      1. Open Command Prompt as the Administrator in <ManageEngine>\elasticsearch\ES\bin
      2. Run stopES.bat
    3. Navigate to <ManageEngine>\elasticsearch\ES\config\elasticsearch.yml, update path.data to include the new data location and save the file.
    4. Also update path.data in <Eventlog home>\ES\config\elasticsearch.yml to include the new data location (same data location as mentioned in step 3).
    5. Update path.repo in <ManageEngine>\elasticsearch\ES\config\elasticsearch.yml to the new repository location (parallel to the new data path).
    6. Update path.repo in <Eventlog home>\ES\config\elasticsearch.yml to the new repository location (same repository location as mentioned in step 5).
    7. Move the files from <ManageEngine>\elasticsearch\ES\data to the new location.
    8. Create a folder with the name archive (parallel to the new data directory).
    9. Move the files from <ManageEngine>\<Eventlog>\ES\archive folder to the new folder named archive.

    Case 3: EventLog Analyzer is manually integrated into Log360:

    In this case, EventLog Analyzer will be using its existing (before integration) local and the common ES (after integration with Log360).

    Note:

    By default, the integrated module will have two ES and it can be located in the Admin > Administration and Search Engine Management page. By clicking on details we can see that one is running from EventLog Analyzer, <Eventlog home>\ES folder and the other from <ManageEngine>\elasticsearch\ES folder.

    1. Shutdown EventLog Analyzer and Log360.
    2. Shutdown common ES.
    3. Open Command Prompt as the Administrator in <ManageEngine>\elasticsearch\ES\bin
    4. Run stopES.bat
    I. Change in common ES
    1. Navigate to <ManageEngine>\elasticsearch\ES\config\elasticsearch.yml, update path.data to include the new location and save the file.
    2. Update path.repo in <ManageEngine>\elasticsearch\ES\config\elasticsearch.yml to include the new repository location (parallel to path.data).
    3. Move the files from <ManageEngine>\elasticsearch\ES\data to the new location.
    II. Change in local ES (the path here should be different from the one given for common ES)
    1. Navigate to <ManageEngine>\<Eventlog>\ES\config\elasticsearch.yml, update path.data to include the new location (this should be different from the one given for common ES) and save the file.
    2. Update path.repo in <ManageEngine>\<Eventlog home>\ES\config\elasticsearch.yml to the same repository location as that of common ES.
    3. Create a folder with the name archive (parallel to the new data directory).
    4. Move the files from <ManageEngine>\<Eventlog>\ES\data to the new location.
    5. Move the files from <ManageEngine>\<Eventlog>\ES\archive folder to the new folder named archive.
    Note: If you wish to set a dynamic key for encrypting the archive files, follow these steps:
    1. Go to the archive location. By default, files are archived at <EventLog Analyzer Home>\archive. Create a file EncryptedKey.enc.
    2. Open the file using a text editor and enter the dynamic key as text. The key should be exactly 16 characters in length.
    3. Restart the EventLog Analyzer service.

    If you wish to import the files archived using the above dynamic key in another installation of EventLog Analyzer, follow these steps first:

    1. Paste the EncryptedKey.enc file in the installed product archive location.
    2. Restart the product.
    3. Import the required archive files.

    On this page

    Get download link