NetWitness Community

That is what I was likely going to do, but I have no idea where the config files are stored.  I know where the index files are stored but I am talking about the app rules, reports, etc...  Do you have any idea where they are stored?

FYI I do have a script that is working.  Please test it in your environment first before confirming but it backs up pretty much everything that you will need to restore a system.  This script works on all devices.  I will first post the instructions I was given, then I will post the script after.  ! !

This script works for Brokers, Concentrators, Decoders, Log
Decoders, ESA Appliances and SA Servers.  It will backup the directories
listed below which contain a majority of the configuration files.  The
script will automatically compress the contents into a tar file.  There is
also a line to scp the backup file(s) after it is compressed in a tar file,
however that line is commented out by default.  Define your host at the
top of the script and uncomment the scp lines to enable automatic secure copy
off of the box(es).  The script will dump the tar file into /tmp/backup by
default, but the variables are configurable and listed at the top.  The
script is attached.

SA Server: /home/rsasoc/rsa/soc/reporting-engine  <—With
the exception of /resultstore/ and   /formattedReports/

SA Server: /var/lib/netwitness/uax

ESA: /opt/rsa/esa

Broker/Concentrator/Decoder/Log Decoder : /etc/netwitness/ng

You can set the script up using a cron job and run it at whatever
intervals you would like.

To test:

Place Script in /usr/sbin

Make executable using chmod +x backup.sh

Test it:

cd /usr/sbin

./backup.sh

cd /tmp/backup

look for files...

Schedule cron job:

crontab -e

(in the editor) type colon ':' on a blank line

wq!

(the above commands create the crontab file if one
does not exist)

cd /var/spool/cron

edit root

(I recommend doing this using WinSCP and a file-format aware gui text editor
like editplus instead of using ‘vi’,
because errors with crontab for root can corrupt the system rendering it
unbootable

Add these entries:

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin

07 00 * * * /usr/sbin/backup.sh > /dev/null
2>&1

NOTE: This script is not RSA Supported.  Customers should use their commercial
backup product and point to the directories indicated.

#!/bin/bash
# The routine moves config files into the archive area and compresses the files.
# Old logs are also removed if over "n" days old.
#
#
#
#

#----- Define Variables
HOST="`hostname`"
day=`date +%d`
month=`date +%b`
year=`date +%Y`
BACKUP=/tmp/backup
DECCONBRK1=/etc/netwitness/ng
SASERVER1=/home/rsasoc/rsa/soc/reporting-engine
SASERVER2=/var/lib/netwitness/uax
ESASERVER1=/opt/rsa/esa
GZIP="/bin/gzip -f"

# Check for backup directory
if [ -d "${BACKUP}" ]; then
#Directory /backup exists.
echo .
else
#Error: Directory /backup does not exists.
mkdir ${BACKUP}
fi;

########################################################
## Decoder, Concentrator, or Broker
########################################################
if [ -d "${DECCONBRK1}" ]; then
  #Directory exists.
  tar -cvf ${BACKUP}/etc-netwitness-ng.tar.$year.$day.$month-12AM ${DECCONBRK1}
  #scp ${BACKUP}/etc-netwitness-ng.tar.$year.$day.$month-12AM user@host:/path/$HOST.etc-netwitness-ng.tar.$year.$day.$month-12AM
else
     #Error: Directory does not exists.
     echo .
fi;

########################################################
## SA Server
########################################################
if [ -d "${SASERVER1}" ]; then
  #Directory exists.
  #tar --exclude='/home/rsasoc/rsa/soc/reporting-engine/formattedReports/*' --exclude='/home/rsasoc/rsa/soc/reporting-engine/resultstore/*' -cvf foo.tar /home/rsasoc/rsa/soc/reporting-engine
  tar --exclude='/home/rsasoc/rsa/soc/reporting-engine/formattedReports/*' --exclude='/home/rsasoc/rsa/soc/reporting-engine/resultstore/*' -cvf ${BACKUP}/home-rsasoc-rsa-soc-reporting-engine.tar.$year.$day.$month-12AM ${SASERVER1}
  #scp ${BACKUP}/home-rsasoc-rsa-soc-reporting-engine.tar.$year.$day.$month-12AM user@host:/path/$HOST.home-rsasoc-rsa-soc-reporting-engine.tar.$year.$day.$month-12AM
else
     #Error: Directory does not exists. 
     echo .
fi;

if [ -d "${SASERVER2}" ]; then
  #Directory exists.
  tar -cvf ${BACKUP}/var-lib-netwitness-uax.tar.$year.$day.$month-12AM ${SASERVER2}
  #scp ${BACKUP}/var-lib-netwitness-uax.tar.$year.$day.$month-12AM user@host:/path/$HOST.var-lib-netwitness-uax.tar.$year.$day.$month-12AM
else
     #Error: Directory does not exists.
     echo .
fi;

########################################################
## ESA
########################################################
if [ -d "${ESASERVER1}" ]; then
  #Directory exists.
  tar -cvf ${BACKUP}/opt-rsa-esa.tar.$year.$day.$month-12AM ${ESASERVER1}
  #scp ${BACKUP}/opt-rsa-esa.tar.$year.$day.$month-12AM user@host:/path/$HOST.opt-rsa-esa.tar.$year.$day.$month-12AM
else
     #Error: Directory does not exists.
     echo .
fi;
  

#----- Cleanup the Backup Area
find ${BACKUP} -mtime +15 -exec rm {} \;