Database Maintenance
Databases require ongoing maintenance to prevent poor application performance, system downtime, and data loss. Here are Chronicle SOAR guidelines for the maintenance of your Chronicle SOAR database (PostgreSQL server).
Monitoring
Please note that the customer is responsible for Monitoring.
Please make sure to use your company’s monitoring tools to monitor the following:
- Disk space and system load (800GB). If disk space exceeds 80%, please contact Support.
- CPU. If CPU exceeds 80% for more than 5 minutes in a row, please contact Support.
- Memory. If Memory exceeds 80% for more than 5 minutes in a row, please contact Support.
One option for monitoring is to use the Chronicle SOAR Job “Machine
Resource Utilization” in the Chronicle SOAR Platform.
Refer here for full information on data prerequisites.
Backup
Please note that Chronicle SOAR is responsible for the Backup procedure.
A database backup strategy is an important focus of any maintenance plan. While primarily meant to protect against data loss, database backups may also be necessary to address other significant maintenance requirements.
Chronicle SOAR provides a built-in capability to run a daily full backup. You
can use this option for an all-in-one deployment. However we recommend running
an external backup, with an incremental backup every day and a full backup
once a week. Folder retention can handle two full backup files (i.e. the last
two weeks).
Chronicle SOAR best practice is that for one year retention
the backup folder should be 450 GB. The database backup files must be stored
in an external share folder.
For information on using the Chronicle SOAR
Backup Settings, click
here.
PostgreSQL backup can be easily performed with pg_dump (or pgAdmin depending
on your requirements). Note that making a copy of the database has no impact
on it. However, this becomes impractical if the database is bigger than a
couple of GB.
For more information on Backup and Restore a PostgreSQL
database, click
here.
Import and Export
Please note that Google is responsible for the Import and Export procedure.
In order to ensure smooth migration from one server to another, or to move from a single node to an HA mode, we need to export and import the database. For more details on Import and Export for PostgreSQL, click here.
Routine Tasks
Vacuum Freeze
Please note that Google is responsible for the Vacuum Freeze procedure.
Chronicle SOAR will perform a vacuum freeze periodically depending on the
customer’s data load and volume. This is an important procedure which
needs to be performed in order to recover or reuse disk space, update data
statistics, update the visibility map, and protect against loss of very old
data. The Vacuum Freeze procedure speeds up and optimizes database
performance.
For more details on vacuum freeze, please click
here
Reindex
Please note that Google is responsible for the Reindex procedure.
From time to time Chronicle SOAR periodically rebuilds indexes with the
reindex command. The exact time period will depend on the customer’s
data and volume of their database changes.
For full details on
Reindexing, please click
here.
Patching
Please note that Google is responsible for the Patching procedure.
Although Chronicle SOAR relies on the publicly available CentOS repositories, we do not recommend that you apply untested patches on your production system.
All Chronicle SOAR releases and updates, both major and minor, are certified to work on a fully patched CentOS system. In addition, all of the software components installed by Chronicle SOAR (PostgreSQL, Elasticsearch) are updated with each release of Chronicle SOAR.
Major upgrades in the OS, for example, from CentOS 7.5 to 8.0 will be
addressed as part of a Chronicle SOAR major release.
Should a critical
vulnerability be exposed in the OS, our teams will test Chronicle SOAR against
the patch and release a corresponding minor update, which our engineers can
install along with the OS patch.