There are four types of database stages associated with CA UARM. This can cause some confusion. The following descriptions will help eliminate some confusion.
There are 4 databases states for CA UARM
- Raw Database: Events are prepared for insertion and indexing, for approximately 1 minute
Hot Database: Events remain here until the configured number of rows is reached
- Then the events are inserted into the Hot Database
Warm Database: are compressed and cataloged hot databases
- The event storage log can be 2 to 3 Gigs or larger depending on the size of the events being collected and the number of rows configured.
- The default number of rows is 2,000,000. The lowest configurable number of rows is 50,000.
Cold Database: Houses events that have been moved to a remote storage server
- Events can be configured to be archived on the machine housing the 'archived' directory structure; so this database is sometimes also referred to as the 'archive database' even though it may not be archived yet.
- There are two means to "archive" the data. These methods actually mark the data as 'archived' in the catalog
- Auto-archive via the UARM UI
- This process will archive only when the archive settings are reached.
- For example: If you are setting to run the archive "hourly" BUT the minimum number of rows for the hot database to be converted to a warm database not been met, no archiving will take place.
- Look in the archive directory for files from the collector machine. Database files in the archive directory cannot be determined to be archived without using the LMArchive utility or manually running queries on the catalog.
- The LMArchive utility, which is run manually
- This method requires a manual backup of data via a third party tool or simply copying the files to a remote long term storage location. The LMArchive utility is manually run to notify UARM of the names of the databases you backed up and moved.
- More information on the LMArchive utility is available via the UARM published guides (Event Log Database States) and the online help
- A record of this move is created if the auto-archive option is used to copy files to a remote location. Using the option 'Remote CA UARM Server' does not put databases into a cold state.
- If the moved was handled manually, and LMArchive was used to notify UARM; then you will need to defrost the data back to the 'warm' state by running the LMArchive utility using the -notify rest option. This will notify UARM of the defrosted data.
- More information on the cold and defrosted database states is available via the UARM published guides (Event Log Database States) and the online help