Since I no longer have access to my previous post sa_backup-1.0.9 - backup tool for Security Analytics 10.3, 10.4, 10.5 and a built-in backup feature is still pending on RSA I would like to share an updated script.
sa_backup is a tool to take a backup of configurations and some data of all Security Analytics components available on the appliance.
Tested with versions 10.3, 10.4, 10.5, 10.6.
The script is attached and also available on the GitHub: https://github.com/Jazzmax/rsa_sa_backup
The direct GitHub link to the script: https://raw.githubusercontent.com/Jazzmax/rsa_sa_backup/master/sa_backup.sh so can be grabbed using wget.
Restore instructions are on the Github Wiki: Backup restore · Jazzmax/rsa_sa_backup Wiki · GitHub
This has been tested when restoring on the same appliance and a fresh/re-imaged appliance (RMA-like scenario).
Features
The following components are backed up:
- OS configuration files:
- /etc/sysconfig/network-scripts/ifcfg-*[0-9] - HWADDR is disabled
- /etc/sysconfig/network
- /etc/hosts
- /etc/resolv.conf
- /etc/ntp.conf
- /etc/fstab - renamed to fstab.{hostname} to prevent overwriting the original fstab on restore
- /etc/krb5.conf
- Puppet configuration (puppetmaster, puppet client, ssl files, node_id, puppet.conf, csr_attributes.yaml, mcollective configuration)
- Core Appliance Services configuration (/etc/netwitness/ng)
- SA server configuration (/var/lib/netwitness/uax, jetty keystore, jetty-ssl.xml)
- Reporting Engine (configuration or full backup (optional))
- RabbitMQ server (mnesia database, configuration for 10.3)
- MongoDB (entire dump of the mongodb instance of SA and ESA servers)
- PostgreSQL database (10.3)
- Malware Analysis configuration
- ESA server configuration
- System Management Service (SMS) configuration
- Incident Management (IM) configuration and DB
- Log Collector (configuration and statDB)
- Warehouse Connector
- Custom user files
- OS configuration files:
After taking a backup the tool restores the original service status (start/stop)
Logs the progress to a file
Logs fatal errors to syslog
Checks if the tool is already running
Removes archives older than "n" days.
Rotates log file
Command line arguments - see the usage information.
Inline or file configuration to enable/disable backup of components
Option to backup custom user files
Test mode
Remote backup to NFS
The tool does NOT do:
- Backup of packets, meta, sessions or index data.
- Backup of a license server (fneserver).
Usage
Usage: ./sa_backup.sh [OPTION...]
Please modify the configuration section in the script or use an external configuration file.
Examples:
sa_backup --config=backup.conf --verbose
sa_backup --backuponly=CORE
Main operation mode:
-c, --config=CONFIG_FILE Use configuration file
-b, --backuponly=COMPONENTS Backup only specified components:
CORE - Core services
SYS - OS configuration
PUPPET - puppet master/agent configuration
RABBITMQ - rabbitmq configuration
MONGO - MongoDB/tokumx dump
JETTY - SA application server settings
RE - Reporting Engine
MALWARE - Malware Analysis configuration
ESA - Event Stream Analysis configuration
IM - Incidint Management configuration
IMDB - Incidint Management DB
SMS - System Management System
LC - Log collector
WHC - Warehouse connector
PGQSL - PostgreSQL database
-t, --test Test mode; no backup performed
-v, --verbose tar verbose switch
-?, -h, --help Give this help list
Edit the configuration section in the script before running it.
BACKUP_TYPE=local # local | nfs
BACKUPPATH=/root/sabackups # Local backup directory
LOG=sa_backup.log # The backup log file
LOG_MAX_DIM=10000000 # Max size of log file in bytes - 10MB
RETENTION_DAYS=0 # Local backups retention in days (0 - no cleanup)
# System files
SYS_ENABLED=true
# SA server / Jetty server
SASERVER_ENABLED=true
# Reporting engine
RE_ENABLED=true
RE_FULLBACKUP=1 # 0 - backup only RE configuration;
# 1 - full RE backup
# Puppet
PUPPET_ENABLED=true
# RabbitMQ server
RABBITMQ_ENABLED=true
# Core Appliance Services
CORE_ENABLED=true
# MongoDB
MONGODB_ENABLED=true
# Malware Analysis
MALWARE_ENABLED=true
# ESA
ESA_ENABLED=true
# Incident Management
IM_ENABLED=true
# Incident Management database
IMDB_ENABLED=true
IM_MONGO_PASS="im" # Password for the MongoDB IM database .
# Host, db name, and db user will be read from SA IM configuration file
This script must be run as "root" user.
Restoring is manual.
You need to extract all tar.gz files using:
tar -C / -xvphzf backup.tar.gz
To restore MongoDB extract the mongo dump directory and run:
mongorestore -v --drop mongodb-dump.2015-06-07-22-40
Note: on ESA appliance to be able to restore the entire db dump you would need to temporarily disable the authentication in /etc/tokumx.conf:
sed -i "s/\(auth *= *\).*/\1false/" /etc/tokumx.conf
service tokumx restart
After the restore has been done enable the authentication back:
sed -i "s/\(auth *= *\).*/\1true/" /etc/tokumx.conf
service tokumx restart
in version 1.0.15
+ Added Incident Management remote database backup
* Fixed --backuponly option, other minor fixes
* Let SA 10.6 backup
* check_SAVersion checks the sarelease file first
This document was generated from the following discussion: sa_backup - backup tool for Security Analytics 10.6
To all customers reading this post:
Please note that any backup or restore script that is not an RSA official script, such as this one, cannot be supported by RSA Netwitness Support. You use these scripts at your own risk. If you have any issues with any of the unofficial scripts found within RSA Link, please reach out to their owners as RSA Netwitness Support will not be able to assist you. An official RSA Netwitness backup and restore script is scheduled to be available in 10.6.3 and above. If you have any questions about the official scripts please contact RSA Netwitness Support.
Thank you