Databases require ongoing maintenance to prevent poor application performance, system downtime, and data loss. Here are Chronicle SOAR guidelines for the maintenance of your Chronicle SOAR database (PostgreSQL server).

Monitoring

Please note that the customer is responsible for Monitoring.

Please make sure to use your company’s monitoring tools to monitor the following:

  • Disk space and system load (800GB). If disk space exceeds 80%, please contact Support.
  • CPU. If CPU exceeds 80% for more than 5 minutes in a row, please contact Support.
  • Memory. If Memory exceeds 80% for more than 5 minutes in a row, please contact Support.

One option for monitoring is to use the Chronicle SOAR Job “Machine Resource Utilization” in the Chronicle SOAR Platform.

Refer here for full information on data prerequisites.

Backup

Please note that Chronicle SOAR is responsible for the Backup procedure.

A database backup strategy is an important focus of any maintenance plan. While primarily meant to protect against data loss, database backups may also be necessary to address other significant maintenance requirements.

Chronicle SOAR provides a built-in capability to run a daily full backup. You can use this option for an all-in-one deployment. However we recommend running an external backup, with an incremental backup every day and a full backup once a week. Folder retention can handle two full backup files (i.e. the last two weeks).
Chronicle SOAR best practice is that for one year retention the backup folder should be 450 GB. The database backup files must be stored in an external share folder.
For information on using the Chronicle SOAR Backup Settings, click here.

PostgreSQL backup can be easily performed with pg_dump (or pgAdmin depending on your requirements). Note that making a copy of the database has no impact on it. However, this becomes impractical if the database is bigger than a couple of GB.
For more information on Backup and Restore a PostgreSQL database, click here.

Import and Export

Please note that Google is responsible for the Import and Export procedure.

In order to ensure smooth migration from one server to another, or to move from a single node to an HA mode, we need to export and import the database. For more details on Import and Export for PostgreSQL, click here.

Routine Tasks

Vacuum Freeze

Please note that Google is responsible for the Vacuum Freeze procedure.

Chronicle SOAR will perform a vacuum freeze periodically depending on the customer’s data load and volume. This is an important procedure which needs to be performed in order to recover or reuse disk space, update data statistics, update the visibility map, and protect against loss of very old data. The Vacuum Freeze procedure speeds up and optimizes database performance.
For more details on vacuum freeze, please click here

Reindex

Please note that Google is responsible for the Reindex procedure.

From time to time Chronicle SOAR periodically rebuilds indexes with the reindex command. The exact time period will depend on the customer’s data and volume of their database changes.
For full details on Reindexing, please click here.

Patching

Please note that Google is responsible for the Patching procedure.

Although Chronicle SOAR relies on the publicly available CentOS repositories, we do not recommend that you apply untested patches on your production system.

All Chronicle SOAR releases and updates, both major and minor, are certified to work on a fully patched CentOS system. In addition, all of the software components installed by Chronicle SOAR (PostgreSQL, Elasticsearch) are updated with each release of Chronicle SOAR.

Major upgrades in the OS, for example, from CentOS 7.5 to 8.0 will be addressed as part of a Chronicle SOAR major release.
Should a critical vulnerability be exposed in the OS, our teams will test Chronicle SOAR against the patch and release a corresponding minor update, which our engineers can install along with the OS patch.