Deepanshu,
Backing up configuration data is very easy and the instructions can be found here: Back Up and Restore Data for Hosts and Services - RSA Security Analytics Documentation. However for your log event sources make sure to go into the UI and export all your event sources as it will be a lot faster and easier to put them back. Anything you can use the UI for to export the easier it will be to restore later.
Moving from a hybrid to a set of stand alone appliances can be difficult when it comes to moving the DB data. The first thing to realize is that a hybrid uses internal disks where a stand alone appliance does not. What this means is you have to have a free DAC to move the data to before you repurpose the hybrid. Here are some very basic steps so you get an idea of what is required.
1. Confirm you have the needed hardware
- You need a stand alone log decoder and log concentrator with one DAC each.
- Your hybrid will be converted into one of the above if it is a series 4S (Dell R620). The Series 5 (Dell R730) would be more difficult to setup and as far as I know aren't supported as anything but hybrids.
- A storage location that has at least an amount of space equal to the total amount of packetdb used by the log decoder, depending on your circumstances.
- Replacement drives for the Log Hybrid. A standalone system has 2x150GB and 2x1TB drives internally not 10x1TB/2TB drives. The supported reimage will require this drive geometry.
2. Backup the configuration per the instructions above.
3. Lets say you purchased a Log Concentrator and a single High Performance DAC. You would need to set it normally. Then copy the /var/netwitness/concentrator/index, metadb and sessiondb into the correct locations on the new Log Concentrator DAC from the Log Hybrid. Depending on how much data you have this can take hours to days to complete. Easiest way is to connect the Log Concentrator configured DAC to the Log Hybrid and copy it that way.
4. Once the data is done copying put the Log Concentrator DAC back on the Log Concentrator.
5. At this point you will have to do some data location manipulation.If you did not have a DAC on the Hybrid you will need to add the new DAC to the hybrid and manually create the Logical Volumes that represent a Log Decoder's first DAC (decoroot, metadb, sessiondb, index, packetdb). If there was a DAC already attached you'll need to move that data off the DAC and onto open space in the Log Hybrid or else where. Then you'll need to reconfigure the DAC into a Log Decoder DAC as mentioned previously.
6. At this point you'll need to move all the Log Decoder data (metadb, sessiondb, index and packetdb) over to the newly created DAC locations.
7. With all the data removed you'll need to reimage the hybrid into a Log Decoder.
8. Once the Log Decoder build is completed you'll put back as much of the configuration information as you can. Not all configuration information backed up can be used as the appliance is now a different appliance. Same goes for the Concentrator settings. It is better to use the old configurations as references instead of direct drop in replacements.
9. Making sure you work with your RSA Sales Engineer to get the old Log Hybrid converted into the new appliance with RSA's backend team. Otherwise if an RMA is ever performed you will receive a Log Hybrid back instead of whatever it has become.
Realize this is not an exhaustive list of steps, these are only a rough idea of what would need to be done. It is not a transition that is for the faint of heart as there is a lot that can go wrong and data will be lost. I highly suggest mapping out every step before starting execution of this kind of migration. Utilize your RSA Sales Engineers or RSA Customer Support. As of right now there are no fully documented migration steps because these kinds of migrations are a case by case basis.
I hope this helps.
John
