Between Security Analytics version 8.2.8 and 8.3.1, the way the meta data (index data) was stored changed in the file system.  In 8.3.1, this "legacy meta data" could still be accessed through the "Legacy" menu option in the GUI even after upgrading to 8.3.1.  Over time, this legacy meta data will get overwritten.  However, with 8.4.1, the legacy meta data is no longer compatible and the upgrade will fail and the system will reboot back into 8.3.1.  

To determine how much legacy meta data will be deleted, log in to the GUI and go to the Capture > Summary page.  Below the capture summary graph, there is a table that lists the Legacy Oldest Meta as well as the Oldest Meta.  Only the Legacy Oldest Meta will be lost if the steps below are followed.

If there is no listing for Legacy Oldest Meta, then the upgrade to 8.4.1 will complete successfully.

NOTE:  These steps will delete all legacy meta data (data captured before 8.3.1). Any data captured before 8.3.1 will no longer be accessible.  Depending on how much legacy meta data there is on the appliance, it could take hours (if not days) for the deletion to complete.  Unfortunately there is no way to monitor the progress of the deletion.

This process can be completed during production. Normal capture and indexing processes will continue as normal.

1. Log in to the CLI as root
2. service monit stop
3. service solera-gaugefs stop
4. nohup rm -rf /pfs2/flows &

Once the process has completed and the /pfs2/flows directory no longer exists. 

1. service monit start

The 8.4.1 upgrade will complete without errors.