This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How to backup/restore data before re-image

MohammadEnnab1
Beginner
Beginner

‎2017-08-14 03:10 AM

Dear all;

 

We are planning to re-image two log hybrid appliances, the published backup/restore script by RSA is only for configuration settings. what about data!!

 

Appreciate your response and interaction

0 Likes
5 REPLIES 5

JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2017-08-14 01:58 PM

If there is no attached storage the only way to backup the data is to copy it off the hybrid to another location. Depending on the amount of data this can take several days and the hybrid services must be shut down during the copy operation. This is the reason why the backup/restore scripts only handle the configuration data. There is no place to put the captured data under most circumstances. 

 

If you are reimaging a hybrid there are only two choices:

- Find somewhere within your own environment and manually copy the database files to it

- Do not keep the captured data.

 

Is there a reason for reimaging the two hybrids and wanting to keep the data?

MohammadEnnab1
Beginner
Beginner
In response to JohnKisner

‎2017-08-15 08:14 AM

Hello John;

 

Thanks for your replay.

 

the two hybrid appliances not working fine as a hybrid because they shipped as AIO then formatted as hybrid but it seems there is something wired in their operation so we got a recommendation from RSA support to reimage it.

 

there is two VLC's send logs for all the decoders(hybrid and AIO) in the same time and the archiver connected to AIO. so while the process of copy data will take a long period, we will proceed with re-image even we lost data because copy of them exist at archiver.

what you think.

0 Likes

JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2017-08-17 05:10 PM

As long as your archivers are up to date they will have the backup of your data on the hybrids. I would stop capture on the hybrid's decoders and allow the archiver to consume anything new in the decoder. Once that is done you can stop the hybrids and reimage them. So if you need to retrieve older data you will need to write reports against the archiver but you should be able to get all the data you had before just through the archiver.

0 Likes

MohammadEnnab1
Beginner
Beginner

‎2018-07-05 11:17 AM

Hello John  and RSA community;

 

Again we have a request to do a back for the whole RSA netwitness appliances (AIO, 2xlog hybrid, Archiver).

I need your help to know what are the possible ways to backup data(logs) from each appliance!

 

the backup script is only used to backup configuration settings for each appliance, and the below link from RSA is mentioned that there are three ways to backup data from archiver

  • Use scripts to copy files from cold storage backup folders onto an offline storage.
  • Use backup software to copy files from cold storage backup folders onto an offline storage.
  • Run EMC Networker or other backup software on Archiver and have it do daily incremental backup of the database files.

Archiver: Configure Data Backup and Restore 

 

Then they mentioned the way to restore backup data using workbench.

 

What is the path of (logs) DB that could be backup manually or using backup software.

 

Is it possible to install(run) backup agent on RSA appliances to do backup? Also if we need to backup archiver how we can achieve this?

0 Likes

JohnKisner
Valued Contributor Valued Contributor
Valued Contributor
In response to MohammadEnnab1

‎2018-07-05 12:00 PM

Ennab,

 

The location of the database files on the archiver is /var/netwitness/archiver/database#. The # will be a number and represents the different DACs attached to your archiver. So if you had 2 DACs attached it would be database0 and database1. Remember that you can't take just the logs databases from an archiver otherwise it will be useless. When you backup the hot storage of an archiver you need ALL the database files. All of these files live within the /var/netwitness/archiver/database# locations. 

 

If you go to restore the hot databases you have to be careful about what you restore. This is because you need all the databases that contain the information you are looking for. What I mean by this is that if you restore the packetdb (logs) you have to find the metadb, sessiondb, and index that match the packetdb file. It isn't easy as they are not a one to one match. This is why backups of the hot database are not generally suggested for dealing with restoring old data that has rolled out but is in case of catastrophic archiver failure.

 

As mentioned in the article https://community.rsa.com/docs/DOC-80139 you can run third party backup software on the archiver, the only suggestion we make is doing incremental backups. Please note that no backup software has been tested to work with the Archvier. This means whatever backup solution you choose you use at your own risk. If it is found to be causing issues with the performance or usage of the archiver Support can request this software be removed and/or discontinued before further troubleshooting can be performed.

 

I hope this helps.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.