sa_backup - backup tool for Security Analytics 10.6

Document created by Maxim Siyazov on Mar 31, 2017Last modified by Maxim Siyazov on Mar 31, 2017
Version 2Show Document
  • View in full screen mode

Since I no longer have access to my previous post sa_backup-1.0.9 - backup tool for Security Analytics 10.3, 10.4, 10.5 and a built-in backup feature is still pending on RSA I would like to share an updated script.


sa_backup is a tool to take a backup of configurations and some data of all Security Analytics components available on the appliance.

Tested with versions 10.3, 10.4, 10.5, 10.6.


The script is attached and also available on the GitHub:

The direct GitHub link to the script: so can be grabbed using wget.  

Restore instructions are on the Github Wiki: Backup restore · Jazzmax/rsa_sa_backup Wiki · GitHub 


This has been tested when restoring on the same appliance and a fresh/re-imaged appliance (RMA-like scenario).


  • The following components are backed up:

    • OS configuration files:
      • /etc/sysconfig/network-scripts/ifcfg-*[0-9] - HWADDR is disabled
      • /etc/sysconfig/network
      • /etc/hosts
      • /etc/resolv.conf
      • /etc/ntp.conf
      • /etc/fstab - renamed to fstab.{hostname} to prevent overwriting the original fstab on restore
      • /etc/krb5.conf
    • Puppet configuration (puppetmaster, puppet client, ssl files, node_id, puppet.conf, csr_attributes.yaml, mcollective configuration)
    • Core Appliance Services configuration (/etc/netwitness/ng)
    • SA server configuration (/var/lib/netwitness/uax, jetty keystore, jetty-ssl.xml)
    • Reporting Engine (configuration or full backup (optional))
    • RabbitMQ server (mnesia database, configuration for 10.3)
    • MongoDB (entire dump of the mongodb instance of SA and ESA servers)
    • PostgreSQL database (10.3)
    • Malware Analysis configuration
    • ESA server configuration
    • System Management Service (SMS) configuration
    • Incident Management (IM) configuration and DB
    • Log Collector (configuration and statDB)
    • Warehouse Connector
    • Custom user files
  • After taking a backup the tool restores the original service status (start/stop)

  • Logs the progress to a file

  • Logs fatal errors to syslog

  • Checks if the tool is already running

  • Removes archives older than "n" days.

  • Rotates log file

  • Command line arguments - see the usage information.

  • Inline or file configuration to enable/disable backup of components

  • Option to backup custom user files

  • Test mode

  • Remote backup to NFS


The tool does NOT do:

- Backup of packets, meta, sessions or index data.
- Backup of a license server (fneserver).



Usage: ./ [OPTION...]

Please modify the configuration section in the script or use an external configuration file.

  sa_backup --config=backup.conf --verbose

  sa_backup --backuponly=CORE

Main operation mode:

-c, --config=CONFIG_FILE      Use configuration file
-b, --backuponly=COMPONENTS   Backup only specified components:
                                  CORE - Core services
                                  SYS - OS configuration
                                  PUPPET - puppet master/agent configuration
                                  RABBITMQ - rabbitmq configuration
                                  MONGO - MongoDB/tokumx dump
                                  JETTY - SA application server settings
                                  RE - Reporting Engine
                                  MALWARE - Malware Analysis configuration
                                  ESA - Event Stream Analysis configuration
                                  IM - Incidint Management configuration
                                  IMDB - Incidint Management DB
                                  SMS - System Management System
                                  LC - Log collector
                                  WHC - Warehouse connector
                                  PGQSL - PostgreSQL database
-t, --test                    Test mode; no backup performed
-v, --verbose                 tar verbose switch
-?, -h, --help                Give this help list

Edit the configuration section in the script before running it.

BACKUP_TYPE=local                             # local | nfs 
BACKUPPATH=/root/sabackups              # Local backup directory
LOG=sa_backup.log                       # The backup log file
LOG_MAX_DIM=10000000                    # Max size of log file in bytes - 10MB
RETENTION_DAYS=0                            # Local backups retention in days (0 - no cleanup)
# System files

# SA server / Jetty server

# Reporting engine
RE_FULLBACKUP=1                         # 0 - backup only RE configuration;
                                        # 1 - full RE backup
# Puppet

# RabbitMQ server

# Core Appliance Services

# MongoDB

# Malware Analysis


# Incident Management

# Incident Management database
IM_MONGO_PASS="im"                      # Password for the MongoDB IM database .
                                        # Host, db name, and db user will be read from SA IM configuration file



This script must be run as "root" user.


Restoring is manual.

You need to extract all tar.gz files using:

tar -C / -xvphzf backup.tar.gz

To restore MongoDB extract the mongo dump directory and run:

mongorestore -v --drop mongodb-dump.2015-06-07-22-40

Note: on ESA appliance to be able to restore the entire db dump you would need to temporarily disable the authentication in /etc/tokumx.conf:

sed -i "s/\(auth *= *\).*/\1false/" /etc/tokumx.conf
service tokumx restart

After the restore has been done enable the authentication back:

sed -i "s/\(auth *= *\).*/\1true/" /etc/tokumx.conf
service tokumx restart


in version 1.0.15 

+ Added Incident Management remote database backup
* Fixed --backuponly option, other minor fixes
* Let SA 10.6 backup
* check_SAVersion checks the sarelease file first


This document was generated from the following discussion: sa_backup - backup tool for Security Analytics 10.6

1 person found this helpful