Exporting log sources from the main Disconnected Log Collector site to the destination site in Disaster Recovery

If you have a Disaster Recovery (DR) Disconnected Log Collector environment, you must manually export and import log sources from the main site to the destination site.

Procedure

  1. Export the Disconnected Log Collector log sources from your main site.
    1. If you use IBM® QRadar® to manage your log sources, export the log sources from QRadar.
    2. If you manually add log sources to your Disconnected Log Collector, export the log sources from the main site's Disconnected Log Collector by typing the following command: 
      /opt/ibm/si/services/dlc/current/script/ exportLogSourceConfig.sh
  2. Process the exported log sources so that the destination Disconnected Log Collector can import them by typing the following command: 
    /opt/ibm/si/services/dlc/current/script/DR_logsource_export.sh exportedLogSources.json processedLogSources.json <UUID_of_destination_DLC>
  3. Copy the processedLogSources.json file to the destination Disconnected Log Collector by typing the following command: 
    /opt/ibm/si/services/dlc/current/script/importLogSourceConfig.sh -i processedLogSources.json
  4. Stop the dlc service on the main Disconnected Log Collector site by typing the following command: 
    systemctl stop dlc
  5. Copy the /store/persistent_queue/dlc.dlc/* folder from the Disconnected Log Collector on the main site to the destination site.
  6. Copy all the files in the /store/ec/* folder from the Disconnected Log Collector on the main site to the destination site.
  7. When the destination QRadar site is activated, start the Disconnected Log Collector service on the destination site's Disconnected Log Collector.

Results

When your export is successful, you get a message similar to this example: 
The file <JSON_file_name> has been created and can be imported into a DLC with uuid <UUID_number>
When your import is successful, you get a message similar to this example: 
Importing from file '<JSON_file_name>'
Import Information
        DLC Name         : 
        DLC Description  : 
        DLC UUID         : 
        DLC Version      : 
        Generated On     : 
        Log Source Count : 
New configuration was saved to '/root/<log_source_JSON>'
Successfully validate log source file '<log_source_JSON>'