The following is not supported by Symantec. Modify at your own risk:
In the event of a catastrophic failure on a SSIM correlation device, we need to be able to restore the incidents on a secondary backup SSIM. DB2 restore in the web console effectively restores the incidents, however if you were to attempt to drill down into the incidents to pull up additional information on specific events, it will still reference the archive on the failed SSIM. We need to be able to reference the new archive on the secondary SSIM.
Events stored in /eventarchive are regularly backed up to an external storage device. These events will be transferred to the secondary backup SSIM in case the primary SSIM fails. Thus the filenames stored in /eventarchive will be identical.
Events stored in /eventarchive are regularly backed up to an external storage device. These events will be transferred to the secondary backup SSIM in case the primary SSIM fails. Thus the filenames stored in /eventarchive will be identical.
To re-point the incidents to the new archive, a new unique archive ID needs to be generated, and the incidents need to point to the new archive ID. You cannot have two archives with the same ID even if they are on different correlation managers.
The incidents reference the event archive via a hex encoded value.
Issue following query as db2admin:
$ db2 connect to sesa
$ db2 -x "SELECT SESA_GUID FROM symcmgmt.symc_imr_associated_event_view"
Example output:
638a:20100318103824:700001
The first item 638a before the colon references the unique archive ID. This needs to be changed to the new archive ID of the secondary backup SSIM.
No comments:
Post a Comment