Skip to main content

Add a Data Processor to Restore Archives

Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.

LogRhythm allows archive files to be restored to a Data Processor to facilitate log analysis and data forensics after the time to live (TTL) of the logs has expired. This system allows near-online access to log data for as long and as far back as you want by maintaining a copy of a Data Processor's Archive files.

Log Archives should not be restored to an actively-capturing Data Processor. Instead, LogRhythm provides a special Operation Mode for a Data Processor, called Online Archive. In this Operation Mode, a Data Processor is online for use in Archive restoration and analysis.

  1. On the main toolbar, click Deployment Manager.
  2. Click the Data Processors tab.
    If you need to add a new Data Processor, see Add a Data Processor.
  3. Double-click the Archive Data Processor and set its properties as follows:
    • Select the appropriate host. This sets the IP address automatically.
    • Select the appropriate platform for the Data Processor.
    • Name the Data Processor in such a way that it will be clear this is for Restoring, such as adding the word Restore to the end of the name.

      When naming the Data Processor for Restoring Archives, do not use a backslash "\" in the name.
    • Set the Operating Mode to Online Archive.
  4. Click OK.
    The Restore Data Processor is now created and listed in the Data Processors grid. It is unlicensed, which is expected for an Online Archive Data Processor.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.