Sys Maintenance: Log Collector Backup and Recovery

Document created by RSA Information Design and Development on Jun 26, 2017Last modified by RSA Information Design and Development on Jul 27, 2017
Version 2Show Document
  • View in full screen mode
 

Administrators can back up and restore configuration and database files for a Log Collector, so that if information is lost or deleted, it can be restored.

Back Up Files

To back up configuration files:

  1. Stop the Log Collector service using the command:
    stop nwlogcollector
  2. Create a tar.bz2 file of all the subdirectories under /etc/netwitness/ng:
    tar -C / -cvjf etc-ng.bz2 /etc/netwitness/ng

Note: This includes the service configuration, ODBC configuration, the event source trust store, log collector content, the lockbox, and keys/certificates. This directory also contains the configuration for RabbitMQ.

To back up database files:

  1. Stop the Log Collector service using the command:
    stop nwlogcollector
  2. Create a tar.bz2 file of all the subdirectories under /var/netwitness/logcollector
    tar -C / -cvjf var-logcollector.bz2 /var/netwitness/logcollector

Note: This includes any persisted event data, collection run-time state (log positions, etc.), and uploaded and unprocessed event source files, RabbitMQ’s mnesia database, and the data files generated by nextgen core.

To back up Puppet and RabbitMQ files:

  1. Create a tar.bz2 file of the Puppet and RabbitMQ files:
    tar -C / --atime-preserve --recursion -cvpjf /root/puppet-rabbit-backup.tar.bz2 --exclude=/var/lib/puppet/bucket --exclude=/var/lib/puppet/reports --exclude=/var/lib/puppet/lib --exclude=/var/lib/rabbitmq/mnesia /var/lib/puppet /etc/puppet /var/lib/rabbitmq
  2. If you are backing up a system that is still being used, start the Log Collector service using the command:
    start nwlogcollector

Restore Files

When you are restoring files that have been backed up, put the files in a consistent place. In this document, we are using the /tmp/ folder as the location for the tar files to be extracted. You can use a different folder if needed.

To restore configuration and database files:

  1. Log onto the host that you intend to restore from a saved backup using SSH.
  2. Stop the Log Collector service using the command:
    stop nwlogcollector
  3. Change to the / directory.
    cd /
  4. Copy the tar file etc-ng.bz2, using a utility like Secure Copy (SCP), to the host in the /tmp/ directory.
  5. Extract the tar file by using the following command:
    tar -C / -xvjf /tmp/etc-ng.bz2 
  6. Copy the tar file var-logcollector.bz2, using a utility like SCP, to the host in the /tmp/ directory.
  7. Extract the tar file by using the following command:
    tar -C / -xvjf /tmp/var-logcollector.bz2
  8. Delete the tar files.
    rm /tmp/etc-ng.bz2
    rm /tmp/var-logcollector.bz2

To restore Puppet and RabbitMQ Files:

  1. Change to the / directory.
    cd /
  2. Copy the tar file puppet-rabbit-backup.tar.bz2, using a utility like Secure Copy (SCP), to the host in the /tmp/ directory.
  3. Extract the tar file by using the following command:
    tar -C / -xvjf /tmp/puppet-rabbit-backup.tar.bz2
  4. Delete the tar file.
    rm /tmp/puppet-rabbit-backup.tar.bz2
  5. Start the Log Collector service using the command:
    start nwlogcollector

Note: Alternatively, you can reboot the host.

Note: If the hardware has changed, you must reset the SSV (Stable System Values) of the lockbox (through Security Analytics or directly via REST/NWP).  You must supply the lockbox password that was used when the lockbox was created to accomplish this. For information about creating a lockbox, see Step 2. Create the Lockbox in the Security Analytics Warehouse Connector Configuration Guide.

You are here
Table of Contents > Sys Maintenance: Log Collector Backup and Recovery

Attachments

    Outcomes