Sys Maintenance: Log Collector Backup and Recovery

Document created by RSA Information Design and Development on Jul 28, 2016
Version 1Show Document
  • View in full screen mode
 

Administrators can back up and restore configuration and database files for a Log Collector, so if information is lost or deleted, it can be restored.

Back Up Files

To back up configuration files:

  1. Create a tar.bz2 (or tb2) of all the subdirectories under /etc/netwitness/ng
    cd /
    tar -cvjf etc-ng.tb2 /etc/netwitness/ng

Note: This includes the service configuration, ODBC configuration, the event source trust store, log collector content, the lockbox, and keys/certificates.  This directory also contains the configuration for RabbitMQ.

To back up database files:

  1. Create a tar.bz2 (or tb2) of all the subdirectories under /var/netwitness/logcollector
    cd /
    tar -cvjf var-logcollector.tb2 /var/netwitness/logcollector

Note: This includes any persisted event data, collection run-time state (log positions, etc.), and uploaded and unprocessed event source files, RabbitMQ’s mnesia database, and the data files generated by nextgen core.

Restore Archived Files

  1. Log on to the host you intend to restore from a saved backup using ssh.
  2. Change to the / directory.
    cd /
  3. Copy the necessary tar file etc-ng.tb2 using a utility like SCP to the host in the / folder.
  4. Extract the tar file by using the following command:
    tar -xvjf etc-ng.tb2 
  5. Copy the necessary tar file var-logcollector.tb2 using a utility like SCP to the host in the / folder.
  6. Extract the tar file by using the following command:
    tar -xvjf var-logcollector.tb2 
  7. Delete the tar files.
    rm etc-ng.tb2
    rm var-logcollector.tb2
  8. Restart the log collector service using the command.
    start nwlogcollector

Note: Alternatively you can reboot the host.

Note: Additionally, if the hardware has changed, you have to re-set the SSV (Stable System Values) of the lockbox (through Security Analytics or directly via REST/NWP).  You must supply the lockbox password that was used when the lockbox was created to accomplish this.

You are here: Backup and Restore Data for Hosts and Services > Log Collector Backup and Recovery

Attachments

    Outcomes