About the PCE Databases
This section describes concepts you need to know to successfully administer the PCE databases.
Policy and Traffic Data Databases
The PCE uses two databases: one for policies and the other for traffic flow data. Both databases need to be backed up or restored.
Database | Summary of Command | Notes |
|---|---|---|
Policy |
| Backs up the policy database. |
Traffic |
| Back up the traffic database by adding the |
Data Retention of Traffic Flow Summaries
The PCE removes traffic flow data summaries (used by the Explore features in the PCE web console) when these conditions occur:
The disk size of the traffic flow summaries exceeds the disk space allocated for the data.
The traffic data database has been inactive for 90 days.
When Flowlink is used, the following limits apply on traffic data:
The default storage limit on traffic data from all of an organization's Flowlink servers is 500MB.
The default storage size limit is based on the number of server VENs, endpoints, and container VENs. Kubelink flows (from container VENs) are grouped with server and endpoint flows.
When the storage limit or the 90-day limit is reached, traffic flow data is pruned. The order of pruning is first data from endpoints, then Kubelink, and lastly Server VENs.
Determine the Primary Database
Policy Database
Run the following command to determine the primary policy database:
sudo -u ilo-pce illumio-pce-db-management show-master
Traffic Database
Run the following command to determine the primary traffic database:
sudo -u ilo-pce illumio-pce-db-management traffic show-master
Show Database Replication Information
Run the following command to view information about data replication between the primary and replica databases:
sudo -u ilo-pce illumio-pce-db-management show-replication-info
Rotate Database Passwords and Other Secrets
At any time, an Illumio Administrator can rotate the PCE database passwords and other auto-generated secrets used within the PCE. The new secrets take effect when the PCE is restarted. To rotate secrets, run the following command on any node:
sudo -u ilo-pce illumio-pce-ctl rotate-secrets
In a Supercluster, run this command once for each region.
Anonymize Database Export
You can anonymize the database dump file to protect confidential data before sending it to Illumio Customer Support for troubleshooting purposes. You can safely share policy and configuration data with Illumio for support requests. Sensitive data, such as usernames, passwords, and IP addresses, are masked.
Dump the policy or traffic database by running one of the following commands.
Policy database
sudo -u ilo-pce /opt/illumio_pce/illumio-pce-db-management dump --file backup_filenameTraffic database
sudo -u ilo-pce /opt/illumio_pce/illumio-pce-db-management traffic dump --for-masking --file traffic_backup_filenameAnonymize the policy or traffic dump file by running one of the following commands.
Policy dump file
sudo -u ilo-pce /opt/illumio_pce/illumio-pce-db-management mask-db-dump --in-file backup_filename --out-file masked_filename --dict-file dictionary.txt --tmpdir path_to_alternate_tmp_dir;
Traffic dump file (add the
--trafficflag)sudo -u ilo-pce /opt/illumio_pce/illumio-pce-db-management mask-db-dump --traffic --in-file backup_filename --out-file masked_filename --dict-file dictionary.txt --tmpdir path_to_alternate_tmp_dir;
Optional
--tmpdirparameterThe
/tmpdirectory stores intermediate files and can sometimes run out of space. Use--tmpdirto specify an alternate temporary directory with adequate space.Example command output
Dictionary file /home/pce/dictionary.txt will be created Reading /home/pce/backup.july.11.2019.tar.bz2 Processing avenger_fileserver_dev.sql Processing avenger_executor_dev.sql Processing avenger_ops_dev.sql Processing avenger_events_dev.sql Processing avenger_agent_dev.sql Processing avenger_login_dev.sql Processing dump-info Processing avenger_node.uuid Processing avenger_cluster.uuid Writing /home/pce/masked_backup.july.11.2019.tar.bz2 Writing dictionary file /home/pce/dictionary.txt Done
Send the anonymized output file named in
--out-fileto Illumio Customer Support.Caution
Do not send the dictionary file to Illumio (
dictionary.txtin the command above). Retain it at your own site. It contains the mapping from the umasked data to the masked data.
Illumio recommends consistently using the same dictionary file. This approach ensures that the same value is consistently masked and you can compare changes between different masked database dumps.
View Events Using PCE Command Line
You can view events using the PCE command line.
Run the following command at any runlevel to display:
The total number of events
The average number of events per day
sudo -u ilo-pce illumio-pce-db-management events-db events-db-show
Run the following command at any runlevel to display:
The amount of disk space used by events
The total number of events
The disk usage based on type of event
sudo -u ilo-pce illumio-pce-db-management events-db disk-usage-show
Example
illumio-pce-db-management events-db disk-usage-show Reading /opt/pce_config/etc/runtime_env.yml. INSTALL_ROOT=/var/illumio_pce RENV=development Events database disk usage summary: Number of events: 6 Average number of events per day: 6 Total disk usage: 0.539 MB (565248.0 bytes) Disk usage by event_type: +----------------------------------+-------+------------+ | Event Type | Count | Disk Usage | +----------------------------------+-------+------------+ | system_task.prune_old_log_events | 1 | 0.090 MB | | user.login | 1 | 0.090 MB | | user.logout | 1 | 0.090 MB | | user.sign_in | 1 | 0.090 MB | | user.sign_out | 2 | 0.180 MB | +----------------------------------+-------+------------+