This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

sa_backup - backup tool for Security Analytics 10.6

MaximSiyazov1
Beginner
Beginner
‎2017-03-31 02:17 PM

Since I no longer have access to my previous post sa_backup-1.0.9 - backup tool for Security Analytics 10.3, 10.4, 10.5 and a built-in backup feature is still pending on RSA I would like to share an updated script.

 

sa_backup is a tool to take a backup of configurations and some data of all Security Analytics components available on the appliance.

Tested with versions 10.3, 10.4, 10.5, 10.6.

 

The script is attached and also available on the GitHub: https://github.com/Jazzmax/rsa_sa_backup

The direct GitHub link to the script:  https://raw.githubusercontent.com/Jazzmax/rsa_sa_backup/master/sa_backup.sh so can be grabbed using wget.  

Restore instructions are on the Github Wiki: Backup restore · Jazzmax/rsa_sa_backup Wiki · GitHub 

 

This has been tested when restoring on the same appliance and a fresh/re-imaged appliance (RMA-like scenario).

Features

  • The following components are backed up:

    • OS configuration files:
      • /etc/sysconfig/network-scripts/ifcfg-*[0-9] - HWADDR is disabled
      • /etc/sysconfig/network
      • /etc/hosts
      • /etc/resolv.conf
      • /etc/ntp.conf
      • /etc/fstab - renamed to fstab.{hostname} to prevent overwriting the original fstab on restore
      • /etc/krb5.conf
    • Puppet configuration (puppetmaster, puppet client, ssl files, node_id, puppet.conf, csr_attributes.yaml, mcollective configuration)
    • Core Appliance Services configuration (/etc/netwitness/ng)
    • SA server configuration (/var/lib/netwitness/uax, jetty keystore, jetty-ssl.xml)
    • Reporting Engine (configuration or full backup (optional))
    • RabbitMQ server (mnesia database, configuration for 10.3)
    • MongoDB (entire dump of the mongodb instance of SA and ESA servers)
    • PostgreSQL database (10.3)
    • Malware Analysis configuration
    • ESA server configuration
    • System Management Service (SMS) configuration
    • Incident Management (IM) configuration and DB
    • Log Collector (configuration and statDB)
    • Warehouse Connector
    • Custom user files

  • After taking a backup the tool restores the original service status (start/stop)

  • Logs the progress to a file

  • Logs fatal errors to syslog

  • Checks if the tool is already running

  • Removes archives older than "n" days.

  • Rotates log file

  • Command line arguments - see the usage information.

  • Inline or file configuration to enable/disable backup of components

  • Option to backup custom user files

  • Test mode

  • Remote backup to NFS

 

The tool does NOT do:

- Backup of packets, meta, sessions or index data.
- Backup of a license server (fneserver).

 

Usage

Usage: ./sa_backup.sh [OPTION...]

Please modify the configuration section in the script or use an external configuration file.

Examples:
  sa_backup --config=backup.conf --verbose

  sa_backup --backuponly=CORE

Main operation mode:

-c, --config=CONFIG_FILE      Use configuration file
-b, --backuponly=COMPONENTS   Backup only specified components:
                                  CORE - Core services
                                  SYS - OS configuration
                                  PUPPET - puppet master/agent configuration
                                  RABBITMQ - rabbitmq configuration
                                  MONGO - MongoDB/tokumx dump
                                  JETTY - SA application server settings
                                  RE - Reporting Engine
                                  MALWARE - Malware Analysis configuration
                                  ESA - Event Stream Analysis configuration
                                  IM - Incidint Management configuration
                                  IMDB - Incidint Management DB
                                  SMS - System Management System
                                  LC - Log collector
                                  WHC - Warehouse connector
                                  PGQSL - PostgreSQL database
-t, --test                    Test mode; no backup performed
-v, --verbose                 tar verbose switch
-?, -h, --help                Give this help list‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Edit the configuration section in the script before running it.

BACKUP_TYPE=local                             # local | nfs 
BACKUPPATH=/root/sabackups              # Local backup directory
LOG=sa_backup.log                       # The backup log file
LOG_MAX_DIM=10000000                    # Max size of log file in bytes - 10MB 
RETENTION_DAYS=0                            # Local backups retention in days (0 - no cleanup)
                         
# System files 
SYS_ENABLED=true

# SA server / Jetty server
SASERVER_ENABLED=true

# Reporting engine
RE_ENABLED=true
RE_FULLBACKUP=1                         # 0 - backup only RE configuration; 
                                        # 1 - full RE backup
# Puppet 
PUPPET_ENABLED=true

# RabbitMQ server
RABBITMQ_ENABLED=true

# Core Appliance Services
CORE_ENABLED=true

# MongoDB 
MONGODB_ENABLED=true

# Malware Analysis
MALWARE_ENABLED=true

# ESA 
ESA_ENABLED=true

# Incident Management
IM_ENABLED=true

# Incident Management database 
IMDB_ENABLED=true
IM_MONGO_PASS="im"                      # Password for the MongoDB IM database . 
                                        # Host, db name, and db user will be read from SA IM configuration file‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

 

This script must be run as "root" user.

Restoring is manual.

You need to extract all tar.gz files using:

tar -C / -xvphzf backup.tar.gz

To restore MongoDB extract the mongo dump directory and run:

mongorestore -v --drop mongodb-dump.2015-06-07-22-40

Note: on ESA appliance to be able to restore the entire db dump you would need to temporarily disable the authentication in /etc/tokumx.conf:

sed -i "s/\(auth *= *\).*/\1false/" /etc/tokumx.conf
service tokumx restart

After the restore has been done enable the authentication back:

sed -i "s/\(auth *= *\).*/\1true/" /etc/tokumx.conf
service tokumx restart

 

in version 1.0.15 

+ Added Incident Management remote database backup
* Fixed --backuponly option, other minor fixes
* Let SA 10.6 backup
* check_SAVersion checks the sarelease file first

 

This document was generated from the following discussion: sa_backup - backup tool for Security Analytics 10.6

Preview file
47 KB
1 Comment
© 2022 RSA Security LLC or its affiliates. All rights reserved.