NetWitness Community

AnuragSinha2 · ‎2016-03-30

Any one aware of the process for backup/offsite archiving for RSA SAW (10.3.3) on any digital or tape drive. I checked in sadocs but it talks about the other RSA SA components and even RSA SA SAW warehouse connector.

CoreyDukai · ‎2016-03-30

Hi -

Are you looking to backup the configuration of warehouse? Or are you talking about the data in the warehouse?

I'm assuming configs, but just want to make sure.

Thanks!

Corey Dukai

AnuragSinha2 · ‎2016-03-31

Hi Corey,

I am looking for config as well data backup. In case of disaster recovery, how do we get our retained data back for reporting or compliance purpose.

Thanks,

Anurag

UmbertoZanatta2 · ‎2016-04-12

Hi Anurag,

in order to backup the warehouse connector:

$ tar -zvcf backup.tgz /etc/netwitness/ng/lockbox /etc/netwitness/ng/NwWarehouseconnector.cfg /etc/netwitness/ng/multivalue-bootstrap.xml 2>&1

you might backup logs and sessions too, please look at the following script which should be carried out on the decoder/hybrid (don't compress file if avro files are compressed):

$ tar -vcf saw.tar <path>/logs/data/<daily_path>/* <path>/logs/meta/* <path>/sessions/data/<daily_path>* <path>/sessions/meta/* >> 2>&1

path e.g: is /saw/rsasoc/v1/sessions/

daily path e.g: 2016/04/12/

Rgds,

DavidWaugh1 · ‎2016-04-14

Hi in terms of backing up the data on the SAW I'm not sure what the benefit of this would be. The amount of data to backup would potentially be in the order of terabytes.

The SAW is made up of a minimum of three nodes and the data is replicated to a minimum of two of nodes. This means for the data to be lost you would have to lose at least two nodes at the same time.

AnuragSinha2 · ‎2016-04-14

Hi David,

Thank you for reply.SAW data backup is intended for any disaster recovery case like natural disaster (earthquake, tsunami etc). Do we have any RSA method for incremental kind of backup to digital drive or tape?

Regards,

Anurag

AnuragSinha2 · ‎2016-04-14

Hi Umberto,

Thank you for reply.I believe backing up warehouse connector will not backup the SAW nodes data. Do you know any process to backup nodes data?

Regards,

Anurag

DavidWaugh1 · ‎2016-04-14

Hi thanks.

All the important data that you need is stored in AVRO files.

I use the following script to delete folders from my test SAW that are older than 10 days.

You could modify this script so that it copies files off rather than deleting

I put this in /etc/cron.hourly

more saw-cleanup.sh

find /mnt/saw/lonsaw/rsasoc/v1/logs/data* -mtime +10 -exec rm {} \;

find /mnt/saw/lonsaw/rsasoc/v1/sessions/data* -mtime +10 -exec rm {} \;

find /mnt/saw/lonsaw/rsasoc/v1/logs/data -type d -empty -delete

find /mnt/saw/lonsaw/rsasoc/v1/sessions/data -type d -empty -delete

You could write your own script to look at files that were modified within the last hour and then copy these files to a remote location.

UmbertoZanatta2 · ‎2016-04-15

Hi Anurag,

as I wrote on my past post, you should backup only avro files. If you will experience a disaster recovery, you must install all MapR nodes, hence starting warehouse connector and after restoring avro files from your backup.

Data on MapR are not indexed so you don’t care about it.

Da: Anurag Sinha

Inviato: giovedì 14 aprile 2016 12:41

A: Umberto Zanatta <Umberto.Zanatta@iks.it>

Oggetto: Re: - RSA SAW backup

RSA Link <https://community.rsa.com/?et=watches.email.thread>

RSA SAW backup

reply from Anurag Sinha<https://community.rsa.com/people/Gw1MeMvA5xhAyjQYfn6xTH81nFtBomFZa0uGgEIjhzs%3D?et=watches.email.thread> in Security Analytics - View the full discussion<https://community.rsa.com/message/870075?et=watches.email.thread#comment-870075>

AnuragSinha2 · ‎2016-04-27

Thanks David. I will do the suggested changes to copy the SAW data.