Move Log Sources Between Agents
In this topic, the agent that is currently collecting the log source is referred to as the current agent, and the agent the log source is moved to is referred to as the new agent.
- On the main toolbar, click Deployment Manager.
- Click the System Monitors tab.
- Right-click the current agent, click Actions, and then click Service Stop.
Right-click the new agent, click Actions, and then click Service Stop.
Failure to shutdown the agents can result in duplicate log collection.
- Click the Log Sources tab.
- Select the Action check boxes of the log sources you want to move.
- Right-click the selection, click Actions, and then click Move.
The Confirm Move dialog box appears. - Click Yes.
The System Monitor Host Selector window appears. - Select an Entity Filter to populate the System Monitor Host list.
- Select a host from the System Monitor Host list.
- Click OK.
- Wait at least 60 seconds for each Data Processor to detect the change.
- If the log source being moved is Check Point, SDEE, Qualys, Nessus, Metasploit, Retina, eStreamer, or Nexpose, manually move the configuration file from the current Agent host to the new Agent host. This applies only to the following log source types:
- Check Point: OPSEC Log Export API (config/leaconf.cfg)
- SDEE: SDEE configuration file (config/sdee.ini)
- Qualys: Qualys configuration file (config/qualys.ini)
- Nessus: Nessus configuration file (config/nessus.ini)
- Metasploit: Metasploit configuration file (config/metasploit.ini)
- Retina: Retina configuration file (config/retina.ini)
- eStreamer: eStreamer configuration file (config/estreamer.ini)
- Nexpose: Nexpose configuration file (config/nexpose.ini)
- Click the System Monitors tab.
- Right-click the current agent, click Actions, and then click Service Start.
Right-click the new agent, click Actions, and then click Service Start.
Be sure the Agents that receive load balanced log sources are configured to communicate with all Mediators that are used for load balancing for that set of Agents. Configuring these Agents to communicate with only some of the Mediators in the set will result in errors. For more information, see Load Balancing.
- Examine the scsm.log file for each agent to ensure that no errors are logged after the log source move.