Replies: 4 comments 2 replies
-
|
I am also interested in doing the same thing with our deployment. @B3DTech have you gotten any updates? |
Beta Was this translation helpful? Give feedback.
-
|
Unfortunately no. You can use normal elastic tools to back up the indicies and truncate them I guess, and when you do that, automate the migration of the associated time window of pcap data to cloud storage. There is no built in way to do it now though. |
Beta Was this translation helpful? Give feedback.
-
|
Since SO is now at 2.3.200 Is this possible? |
Beta Was this translation helpful? Give feedback.
-
|
A couple of clarifying questions:
|
Beta Was this translation helpful? Give feedback.
-
|
Storage is relatively cheap. |
Beta Was this translation helpful? Give feedback.
-
|
So I think the answer you are looking for is. "No". there isn't any "good" way to backup the pcap and elastic data. However this is/was a topic I spent some time on in the past and IMO the smartest thing to do would be to have a cronjob script to export the pcacp data to another mounted drive, NFS or other external share to and then store at that remote location. PCAPs can always be pulled back into the system manually and re-run and queried or even just pushed through an analyst workstation at a later time. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
So we want to expand our storage so that we can go from 2 to 4 weeks of pcap storage, and 2 to at least 4 weeks of search data storage. That's the easy part.
Wondering if:
Ideally, we'd like to have 30 days of online pcap and elastic data, and be able to fairly quick pull in previous, backed data to research old incidents.
What are thoughts on best practices around this? This seems like the best balance of expensive, online storage and inexpensive long term storage like S3 Glacier.
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions