Archiver hot storage - data restoration
Can anyone throw some light on Archiver data restoration and subsequent consumption. I've got hot storage configured. Now, how would I use data backed up to the Archiver with the Reporting module for instance? Can somebody please help explain data restoration and/or consumption from the Archiver in SA operations/reporting?
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
- rsa sa
- sa report
The Archiver can be queried like a Concentrator or Broker to retrieve data. If you want to run a report or a query against that data, you simply target it as your data source. If you have multiple Archivers, they can be combined into a single data source by using a Broker just like you would with multiple Concentrators.
Note that if you want to query specific meta keys, you need to make sure that your Archiver is ingesting those keys. To check that, you can go to Archiver --> Config and on the General tab, look at the Meta Include column:
Anything in that list can be queried as normal. You can pull more or less meta keys, but that will affect storage on your Archiver. Raw logs can be compressed much better than metadata.