Change the Location of Event Data Logs
By default, an organization's instance of Umbrella saves event data logs to Cisco's California data warehouse location. You can change the location of the data warehouse for your organization from North America to Europe at any time.
Only event data is stored to the data warehouse. This is any data that might appear in an Umbrella report. Configuration data, such as audit logs and policy settings remains stored by Cisco in California regardless of a change to the data warehouse's location.
Data warehouse configuration settings are only managed through the Umbrella dashboard. The Multi-org console has no data warehouse configuration settings. However, when an organization's data warehouse location changes to Europe, the Multi-org console's reporting options change. Once changed, you can select that reports are generated based on either the North American or European storage region. This allows for the accommodation of a Multi-org that manages organizations in both regions.
Implications When You Change Data Warehouse Locations
When you change the location of the data warehouse from North America to Europe or Europe to North America, the data that the organization's Umbrella dashboard uses changes. Because Umbrella's various reports use the data saved to logs that are stored to the data warehouse, only data from the data warehouse's current location is available to Umbrella to generate reports. Existing logs do not change locations. Data stored in North America stays in North America. Data stored to Europe stays in Europe. In Umbrella, to generate reports using data from the previous data warehouse location, you must change the data warehouse location back to the previous location.
For reports generated from the Multi-org console, if you change the data warehouse location for an organization, you are given options through the Multi-org console's reports to generate reports either for organizations using the North American located data warehouse or the European located data warehouse.
Caution
Although you can change back from the European data warehouse location to the North American data warehouse location, we do not recommend this procedure. Changing back and forth between data warehouse locations results in the splitting of Umbrella event data between locations. This splitting lessons the accuracy of Umbrella's reports. We strongly recommend that once you change the location of your data warehouse from North America to Europe that you do not change back, unless the change back is intended to be permanent..
Note: When you change the data warehouse's location in Umbrella, Umbrella's reporting functionality is temporarily suspended while the switchover to a new location occurs. For activity search data, the switchover period lasts only a few minutes; however, other reporting data may take several hours to begin appearing in reports.
Log Retention
Logs are deleted when the retention date expires:
- 30 days for detailed data
- Two years for summary data
Logs are not deleted when you change the data warehouse location.
Prerequisites
- Full administrative access to the Multi-org console
- Full administrative access to the organization's Cisco Umbrella dashboard.
Change Data Warehouse Locations
- In the Multi-org console, navigate to Org Management and click an organization Name.
Clicking an organization's name opens that organization's instance of the Umbrella dashboard.
- In Umbrella, navigate to Admin > Log Management and under Data Storage click Change Location.
- Select a new location and click Next.
- Confirm that you understand the consequences of changing the location where logs are physically stored and click Change.
The data warehouse location is changed and Umbrella now stores event data logs to this new location. Logging to the old location stops.
Note: Logs stored at the previous location are not deleted until the retention period expires—30 days for detailed data and two years for summary data.
Changing the data warehouse location from North America to Europe results in Multi-org reports updating so that you can generate reports for either the North American or European regions. But not both at the same time.
Enable Logging to a Cisco-managed S3 Bucket < Change the Location of Event Data Logs > Stop Logging
Updated about 1 year ago