sa_backup-1.0.9 - backup tool for Security Analytics 10.3, 10.4, 10.5

Document created by RSA Admin Employee on Sep 8, 2015Last modified by RSA Admin Employee on Sep 14, 2015
Version 4Show Document
  • View in full screen mode

sa_backup is a tool to take a backup of configurations of all Security Analytics components available on the appliance. Tested with versions 10.3, 10.4, 10.5.

NOTE: This solution has not been qualified by RSA.

Pushed a new release as fixed a bug: Mongo DB is not identified.

New release 1.0.7 - 1.0.9 !. New features:

  • Command line options,
  • Configuration file to enable/disable backup of components,
  • Custom user files backup,
  • Test mode,
  • TAR progress indication,
  • One component backup option. See the change log for more details.


Attached and also available on the GitHub:

The direct GitHub link to the script: so can be grabbed using wget.  

This has been tested when restoring on the same appliance and a fresh/re-imaged appliance (RMA-like scenario).

The tool does NOT do:

- Remote backup - on its way

- Backup  of the SA data (nw*db files).
- Backup of a license server (fneserver).

Restoring is manual yet. You need to extract all tar.gz files using:

tar -C / -xvphzf backup.tar.gz

To restore MongoDB extract the mongo dump directory and run:

mongorestore -v --drop mongodb-dump.2015-06-07-22-40

Note: on ESA appliance to be able to restore the entire db dump you would need to temporarily disable the authentication in /etc/tokumx.conf:

sed -i "s/\(auth *= *\).*/\1false/" /etc/tokumx.confservice tokumx restart

After the restore has been done enable the authentication back:

sed -i "s/\(auth *= *\).*/\1true/" /etc/tokumx.confservice tokumx restart

In conjunction to this backup tool I am working on a restore tool.Any feedback or contribution will be greatly appreciated.


  • The following components are backed up:
    • OS configuration files:
      • /etc/sysconfig/network-scripts/ifcfg-*[0-9] - HWADDR is disabled
      • /etc/sysconfig/network
      • /etc/hosts
      • /etc/resolv.conf
      • /etc/ntp.conf
      • /etc/fstab - renamed to fstab.{hostname} to prevent overwriting the original fstab
      • /etc/krb5.conf
    • Puppet configuration (puppetmaster, puppet client, ssl files, node_id, puppet.conf, csr_attributes.yaml, mcollective configuration)
    • Core Appliance Services configuration (/etc/netwitness/ng)
    • SA server configuration (/var/lib/netwitness/uax, jetty keystore, jetty-ssl.xml)
    • Reporting Engine (configuration only or full backup (optional))
    • RabbitMQ server (mnesia database, configuration files for 10.3)
    • MongoDB (entire dump of the mongodb instance of SA or ESA servers)
    • PostgreSQL database (10.3)
    • Malware Analysis
    • ESA server
    • System Management Service (SMS)
    • Incident Management (IM)
    • Log Collector (configuration and statDB)
    • Warehouse Connector
  • Preserves the initial service status(start/stop)
  • Logs errors to syslog
  • Will not start backup if the script is already running
  • Removes archives older than "n" days.
  • Logs the progress to a file
  • Rotates log file
  • Command line arguments - see the usage information.
  • Inline or file configuration to enable/disable backup of components
  • Option to backup custom user files
  • Test mode


This script must be run as "root" user.Edit the initialization section in the script before running the script or use a configuration file.

./ [OPTION...]Please modify the configuration section in the script or use an external configuration file.Examples:
  sa_backup --config=backup.conf --verbose
  sa_backup --backuponly=coreMain operation mode:-c, --config=CONFIG_FILE      Use configuration file
-b, --backuponly=COMPONENTS   Backup only specified components:
                                  core - Core services
                                  sys - OS configuration
                                  puppet - puppet master/agent configuration
                                  rabbitmq - rabbitmq configuration
                                  mongo - MongoDB/tokumx dump
                                  jetty - SA application server settings
                                  re - Reporting Engine
                                  malware - Malware Analysis configuration
                                  esa - Event Stream Analysis configuration
                                  im - Incidint Management configuration
                                  sms - System Management System
                                  lc - Log collector
                                  whc - Warehouse connector
                                  pgqsl - PostgreSQL database
-t, --test                    Test mode; no backup performed
-v, --verbose                 tar verbose switch
-?, -h, --help                Give this help list

Version history

Changelog version 1.0.8:

  • * Fixed a type in the ESA backup configuration

Changelog version 1.0.7:

  • + Added command line arguments
  • + Added a configuration file to enable/disable backup of components
  • + Added a new option to backup custom user files
  • + Added a test mode
  • * Fixed: Cleanup removing non-backup folders
  • * Exclude core files from the Warehouse connector backup
  • + Added a tar progress indication
  • * Improved reporting engine exlusion list
  • * Code refactoring around components detection
  • + Added option to backup only one component - see the usage

Changelog version 1.0.6:

  • * Optimized the core services backup. Saving files without stopping services.
  • *  SA server backup consolidated into a single file including: uax, jetty and carlos keystores .
  • * Fixed RSA SMS backup -  added db directory.
  • * Changes around puppetmaster backup. Fuller backup.
  • * Disabled a single tar creation as redundant.

Changelog version 1.0.5:

  • * Bug fixes: mcollective backup; single tar creation and cleanup.

Changelog version 1.0.4:

  • + Added RSA SMS backup
  • * Fixed pupetmaster backup (added entire /etc/puppet)
  • + tarball all archives in a single file
  • + Added mcollective backup
  • * Now taking ifcfg-*[0-9] instead of ifcfg-eth*
  • + Disabling HWADDR parameter in network configuration scripts before archiving
  • * Added support for 10.5

Changelog version 1.0.3:

  • * Fixed SA version check

Changelog version 1.0.2:

  • * Fixed removing old archives
  • + SA version check (based on Joshua Newton code)
  • + Improved user/log output. Added list of components to be backed up
  • + Improved RabbitMQ configuration backup
  • + Added support of 10.3
  • + Added PestgreSQL backup for 10.3

Changelog version 1.0.1:

  • + Code refactoring around service start/stop * Bug fixes


Version 1.0.0 - Initial version