000030031 - How to Backup and Restore the Security Analytics Server

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030031
Applies ToSecurity Analytics Server 10.4.x.x

Security Analytics Head-Unit 10.4.x.x
IssueThis procedure can be used to back up a Security Analytics 10.4.x.x Server (aka "head unit"), and restore to a new device. However, this does not include the broker service that is included in some instances of the SA Server. To backup a core appliance please see the SA Doc located at http://sadocs.emc.com/0_en-us/090_10.4_User_Guide/215_SysAdmin/BackupRest/CoreApplBupRecov



This article provides supplemental information address current deficiencies on the current SA Docs related to this subject. 
Resolution

I Backup Process Overview:


To backup your SA Server you will need to backup the following items: Jetty, Reporting Engine, Live, ESA (if applicable), Incident Management (if applicable), IPDB Extractor (if applicable). 

1) Back up Jetty


To backup jetty you will need to perform the following tasks via SSH command line: 
  1. Stop the web server: stop jettysrv
  2. Run the following commands to grab the H2 Jar:
  1. cd /var/lib/netwitness/uax/db
  2. java -cp /home/rsasoc/h2-1.3.172.jar  org.h2.tools.Backup -file /home/rsasoc/jettydb.backup
  3. tar --atime-preserve --recursion -cvphjf /home/rsasoc/saserver.tar.gz /var/lib/netwitness/uax/nodeSecret* /var/lib/netwitness/uax/conf /var/lib/netwitness/uax/lib /var/lib/netwitness/uax/logs /var/lib/netwitness/uax/plugins /var/lib/netwitness/uax/scheduler /var/lib/netwitness/uax/security-policy

2) Back up Reporting Engine


To backup the reporting engine  perform the following tasks via SSh command line: 
  1. You will need to stop the reporting engine service: stop rsasoc_re
  2. tar --atime-preserve --recursion -cvphjf /home/rsasoc/re.tar.gz --exclude='home/rsasoc/rsa/soc/reporting-engine/temp' /home/rsasoc/rsa

3) Back up Mongo Database


In Security Analytics 10.4, ESA rules as well as some Jetty Webserver data is stored in the Mongo instance on the SA server. To back up the MongoDB data on the SA server, perform the following tasks via SSH command line:
  1. service rsa-im stop
  2. mongodump -vvvv -o /home/rsasoc/alert-db
  3. tar -zcvf /home/rsasoc/alert-db.tar.gz /home/rsasoc/alert-db

4) Other Items of Significance


After backing up all of these files to /home/rsasoc, scp off to a safe location. Once that is completed, ensure the following information is recorded: 
  1. Live account username and password
  2. A list of IP/FQDN for all of your SA devices
  3. If you are using the IPDB Extractor service you will need to take notes of the passwords you are using. 
  4. The files to pull off the system will be:
  • alert-db.tar.gz
  • h2-1.3.172.jar
  • jettydb.backup
  • re.tar.gz
  • saserver.tar.gz

II Restore Process


This process will assume that the backup files in the /home/rsasoc directory.  Where noted, the pwd (present working directory) should be /.

1) Restore Jetty


To restore jetty, perform the following tasks via SSH command line:
  1. stop jettysrv
  2. rm -rf /var/lib/nodeSecret* /var/lib/netwitness/uax/conf /var/lib/netwitness/uax/lib/ /var/lib/netwitness/uax/logs/ /var/lib/netwitness/uax/plugins /var/lib/netwitness/uax/scheduler /var/lib/netwitness/uax/security-policy/ /var/lib/netwitness/uax/db/*
  3. cd /var/lib/netwitness/uax/db
  4. java -cp /home/rsasoc/h2-1.3.172.jar org.h2.tools.Restore -file /home/rsasoc/jettydb.backup
  5. cd /
  6. tar -xvpjf /home/rsasoc/saserver.tar.gz

2) Restore Reporting Engine


To restore the reporting engine, perform the following tasks via SSH command line:
  1. stop rsasoc_re
  2. rm -rf /home/rsasoc/rsa/
  3. rpm -i --force %/path/to/re-server.rpm/file% /** see notes **/
  4. cd /
  5. tar -xvpjf /home/rsasoc/re.tar.gz

3) Restore Mongo Database


In Security Analytics 10.4, ESA rules as well as some Jetty Webserver data is stored in the Mongo instance on the SA server. To restore the ESA MongoDB alert data on the SA server, perform the following tasks via SSH command line:
  1. service rsa-im stop
  2. cd /
  3. tar -zxvf /home/rsasoc/alert-db.tar.gz
  4. mongorestore -vvvv --noLoader /home/rsasoc/alert-db

4) IPDB Extractor Notes (optional)


Re-configure the IPDB extractor service by following this guide. If not using the IPDB Extractor for Envision, these steps may be safely skipped. 

5) Restart Services


Start the following services: 
  1. start jettysrv
  2. start rsasoc_re
  3. service rsa-im start
NotesBe certain to check with RSA support to verify the proper re-server.rpm file for your specific configuration. Please provide the full version number of the SA server in use. To obtain this information, run the following command:  
 
                      rpm -qa | grep nw

Attachments

    Outcomes