000026652 - How to back up appliances and services prior to upgrading RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026652
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Core Appliance, Security Analytics Server, Reporting Engine, Event Stream Analysis (ESA), Malware Analysis, Warehouse Connector
RSA Version/Condition: 10.3.x
Platform: CentOS
O/S Version: EL5, EL6
TasksHow to back up RSA Security Analytics appliances and services prior to an upgrade.

How do I backup my RSA Security Analytics devices before performing a version upgrade?
Resolution

It is recommended that the steps below be followed to backup all RSA Security Analytics appliances and services before performing a version upgrade.


Back Up Core Devices


To create a backup of configuration files for Decoder, Log Decoder, Archiver, Concentrator, and Broker devices, follow the steps below.


  1. Connect to the appliance via SSH as the root user.
  2. Navigate to the /tmp directory, if necessary, with the following command:  cd /tmp
  3. Issue the following command to create a bz2 file containing the necessary configuration files:  tar -C / --exclude=Geo*.dat -cvjf etc-Netwitness.tar.bz2 /etc/netwitness/ng
       NOTE:  The command excludes the Geo*.dat files, which are large and included in every Core RPM.

 


Back Up Event Stream Analysis (ESA) Device


To create a backup of the configuration and database files for the ESA device, follow the steps below.


  1. Connect to the appliance via SSH as the root user.
  2. Navigate to the /tmp directory, if necessary, with the following command:  cd /tmp
  3. Issue the command below to create a single tar.gz file containing all subdirectories under /opt/rsa/esa, excluding logs, db, bin, and lib.
    tar -C / --exclude=/opt/rsa/esa/logs --exclude=/opt/rsa/esa/db --exclude=/opt/rsa/esa/bin --exclude=/opt/rsa/esa/lib -cvjf esa.tar.gz /opt/rsa/esa


      
    NOTE:  ESA alert data is stored in the co-located PostgreSQL database entitled esa.  For details on backing up and restoring the database, refer to the PostgreSQL official website.

 


Back Up Log Collector Device


To create a backup of the configuration and database files for the log collector device, follow the steps below.


  1. Follow these steps to create a backup of the log collector configuration files:

    1. Connect to the appliance via SSH as the root user.
    2. Navigate to the /tmp directory, if necessary, with the following command:  cd /tmp
    3. Issue the following command to create a tar.gz file containing all subdirectories under /etc/netwitness/ng:  tar cvjf etc-ng.tar.gz /etc/netwitness/ng
           NOTE:  This includes the service configuration, ODBC configuration, the event source trust store, log collector content, the lockbox, and keys/certificates.  This directory also contains the configuration for RabbitMQ.
  2. Follow these steps to create a backup of the log collector database files:

    1. Connect to the appliance via SSH as the root user.
    2. Navigate to the /tmp directory, if necessary, with the following command:  cd /tmp
    3. Issue the following command to create a tar.gz file containing all subdirectories under /var/netwitness/logcollector:  tar cvjf var-logcollector.tar.gz /var/netwitness/logcollector
           NOTE:  This includes any persisted event data, collection run-time state (log positions, etc.), and uploaded and unprocessed event sources, RabbitMQ's mnesia database, and the data files generated by NextGen Core.

 


Back Up Malware Analysis Device


To create a backup of the configuration and database files for the malware analysis device, follow the steps below.


  1. Follow these steps to create a backup of the malware analysis configuration files:

    1. Connect to the appliance via SSH as the root user.
    2. Navigate to the /tmp directory, if necessary, with the following command:  cd /tmp
    3. Issue the following command to create a tar file containing the files in the directory /var/lib/netwitness/rsamalware:                                                                                                                      tar -cvf rsamalware.tar /var/lib/netwitness/rsamalware
    4. Issue the following command to create a tar file containing the /etc/init/rsaMalwareDevice.conf file:             tar -cvf rsamalwareconf.tar /etc/init/rsaMalwareDevice.conf
  2. Follow these steps to create a backup of the malware analysis database files:

    1. Connect to the appliance via SSH as the root user.
    2. Navigate to the /tmp directory, if necessary, with the following command:  cd /tmp
    3. Back up the appropriate directory below, based on the type of device.
           Co-Located Device:    Back up the directory /var/lib/netwitness/rsamalware to back up the database, as H2 is used.
           Standalone Appliance:  Back up the directory /var/lib/pgsql/9.1/data to back up the database, as PostgreSQL is used.  It is recommended that this backup be performed on a daily basis.

 


Back Up Reporting Engine Device


To create a full backup of the configuration and database files for the reporting engine device, follow the steps below.


  1. Connect to the appliance via SSH as the root user.
  2. Navigate to the /tmp directory, if necessary, with the following command:  cd /tmp
  3. Issue the following command to create a tar.gz file containing the content in the /home/rsasoc directory:  tar cvjf re.tar.gz /home/rsasoc

NOTE:  To back up only the configuration files and exclude the report results and history, issue the command below.
 


tar -C / --exclude=/home/rsasoc/rsa/soc/reporting-engine/resultstore --exclude=/home/rsasoc/rsa/soc/reporting-engine/livecharts --exclude=/home/rsasoc/rsa/soc/reporting-engine/alerts --exclude=/home/rsasoc/rsa/soc/reporting-engine/statusdb --exclude=/home/rsasoc/rsa/soc/reporting-engine/logs --exclude=/home/rsasoc/rsa/soc/reporting-engine/temp -cvjf refiles.tar.gz /home/rsasoc/rsa/soc/reporting-engine

 


Back Up Security Analytics Server


To back up the configuration and database files for the RSA Security Analytics server (broker) appliance, follow the steps below.



  1. Follow these steps to create a backup of the Security Analytics server database files:



    1.  
      Connect to the appliance via SSH as the root user.

       

    2.  
      Navigate to the /var/lib/netwitness/uax/db directory with the following command:  cd /var/lib/netwitness/uax/db

       

    3.  
      Obtain the H2 jar file needed to manipulate the database with the following command:  wget http://repo1.maven.org/maven2/com/h2database/h2/1.3.172/h2-1.3.172.jar

       

    4.  
      Stop the Jetty web server with the following command:  stop jettysrv
             CAUTION:  This will interrupt user activity until the service is restarted.

       

    5.  
      Issue the following command to create a backup of the database:  java -cp ./h2-1.3.172.jar org.h2.tools.Backup -file /tmp/saserver.db.bak

       

    6.  
      Start the Jetty web server with the following command:  start jettysrv

       

  2. Follow these steps to create a backup of the Security Analytics server configuration files:



    1.  

       
      Connect to the appliance via SSH as the root user.

       

       

    2.  

       
      Navigate to the /tmp directory, if necessary, with the following command:  cd /tmp

       

       
    3. Issue the command below to create a tar.gz file that contains the file nodeSecret and the subdirectories conf, lib, logs, plugins, scheduler, and security-policy under /var/lib/netwitness/uax.
       
      tar cvjf saserver.tar.gz /var/lib/netwitness/uax/nodeSecret.* /var/lib/netwitness/uax/conf /var/lib/netwitness/uax/lib /var/lib/netwitness/uax/logs /var/lib/netwitness/uax/plugins /var/lib/netwitness/uax/scheduler /var/lib/netwitness/uax/security-policy

       

  3. Follow these steps to back up the Jetty 9 keystore and jetty-ssl.xml files:
       NOTE:  This is only necessary if a public CA certificate has been installed on the Security Analytics server to replaced the existing self-signed SSL certificate.



    1.  

       
      Connect to the appliance via SSH as the root user.

       

       

    2.  

       
      Navigate to the home directory, if necessary, with the following command:  cd ~

       

       

    3.  

       
      Issue the following command to create a tar file containing the two files:  tar -cvf jetty-ssl.tar /opt/rsa/jetty9/etc/keystore /opt/rsa/jetty9/etc/jetty-ssl.xml

       

       

  


Back Up Warehouse Connector Device


To back up the configuration and database files for the warehouse connector device, follow the steps below.


  1. Follow these steps to create a backup of the warehouse connector configuration files:

    1. Connect to the appliance via SSH as the root user.

    2.  
      Navigate to the /tmp directory, if necessary, with the following command:  cd /tmp

       
    3. Issue the following command to create a tar.gz file containing the lockbox folder under /etc/netwitness/ng:  tar cvjf wc-lockbox.tar.gz /etc/netwitness/ng/lockbox
    4. Issue the command below to create a tar.gz file containing the files NwWarehouseconnector.cfg, multivalue-bootstrap.xml, and multivalue-users.xml (if present), which are stored under /etc/netwitness/ng.
       
      tar cvjf wc-files.tar.gz NwWarehouseconnector.cfg multivalue-bootstrap.xml multivalue-users.xml

       
  2. Follow these steps to create a backup of the warehouse connector database files:

    1. Connect to the appliance via SSH as the root user.
    2. Navigate to the /tmp directory, if necessary, with the following command:  cd /tmp
    3. Issue the following command to create a tar.gz file containing the content under /var/netwitness/warehouseconnector:  tar cvjf wc-lockbox.tar.gz /var/netwitness/warehouseconnector
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.
NotesInstructions to back up and restore data for appliances and services can also be found in the RSA Security Analytics 10.4 User Guide.
Legacy Article IDa67188

Attachments

    Outcomes