TOC & Recently Viewed

Recently Viewed Topics

Silo Archiving

Terms

silo – An Elasticsearch index used to store LCE events data; a silo is always part of activeDb.

snapshot – An archived silo; a snapshot is always part of archiveDb.

Configuration

  • Total size of activeDb is limited by config attribute active-size (default: 20 TB).
  • Total size of archiveDb is limited by config attribute archive-size (default: 20 TB).

Control Flow

Every 3.5 minutes, LCE will:

  1. read in the results of the last-executed action, from lce_status.db

  2. choose the next action to take based on the last-executed action

  3. perform the next action and store results in lce_status.db

Storing the state in this manner has the following advantages:

  • simplicity (no separate logic to handle reloads/restarts is needed)

  • transparency (to see exactly where the archival algorithm is, just query lce_status.db)

  • available emergency override (can alter the control flow by updating lce_status.db)

    Note: This is not standard operating procedure and should only be performed in very rare cases.

LCE waits a maximum of 75 minutes for an archive job to complete in order to avoid being stuck in the CheckArchiveDone state indefinitely in the rare case that Elasticsearch fails to report an archive job as complete.

Note: Archiving a silo normally takes 6 to 8 minutes.

See Elasticsearch Administration and Troubleshooting Utilities for descriptions of relevant archiving tools.

 

Copyright 2017 - 2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.