1 Reply Latest reply on Jun 25, 2017 11:18 PM by schrodinger

    Restore ESM and ELM data to a new hardware.

    rohitsharma79

      Hi All,

      Recently we had a hardware failure on our SIEM appliance. Following are the details

      ENMELM-6000   Combo box with a DAS-10 Storage.

       

      A backup of ESM settings and ELM management database is available. The ELM data is intact on the DAS.

      On the RMA box, we have performed the following operations.

      1. Brought the Firmware to the old box level.

      2. Restored the ESM Configuration data. This happened successfully and all the data sources and policy settings are restored.

      3. Disconnected the DAS box from the Old Hardware & Connected to the new hardware.

      4. The DAS drive is visible in the CLI and the data files are visible.

       

      However the ELM settings are not restored, and no storage pools are visible in the ELM Configuration. The ELM Management database is available in an NFS storage.

      Advise is needed on how to restore the ELM management database and ELM settings to view the raw logs.

       

      -------------------------------- storage configuration

       

      McAfee-ENMELM-6000 / # df -h

      Filesystem            Size  Used Avail Use% Mounted on

      /dev/sdb3             1.9T  115G  1.7T   7% /

      /dev/sdb1             976M   68M  859M   8% /boot

      /dev/sdc1              13T   73G   13T   1% /data_hd

      shm                    48G     0   48G   0% /dev/shm

      /dev/sdd1             9.1T  2.3T  6.5T  26% /elm_storage/local_das1

      /dev/sda              446G   35G  412G   8% /index_hd

       

      ---------------------------------------DAS status----------------------

       

      McAfee-ENMELM-6000 /elm_storage/local_das1 # ls -l | more

      total 2275445492

      drwxr-xr-x 2 root root       4096 Mar 20  2015 fti/

      lrwxrwxrwx 1 root root         23 Sep 12  2014 local_das1 -> /elm_storage/local_das1/

      drwx------ 2 root root      16384 Sep 12  2014 lost+found/

      drwxr-xr-x 3 root root       4096 Jun 23 04:16 mgtdb/

      -rw-r--r-- 1 root root 2147049566 Mar 31 11:53 sh_1_sr_1.elm

      -rw-r--r-- 1 root root 2147150975 Apr 11 14:49 sh_1_sr_1009.elm

      -rw-r--r-- 1 root root 2147238105 Apr 17 08:48 sh_1_sr_1016.elm

      -rw-r--r-- 1 root root 2147482389 Apr 22 09:56 sh_1_sr_1025.elm

      -rw-r--r-- 1 root root 2147454157 Apr 27 18:36 sh_1_sr_1033.elm

      -rw-r--r-- 1 root root 2147480489 May  5 22:51 sh_1_sr_1044.elm

      -rw-r--r-- 1 root root 2147396881 May 11 14:55 sh_1_sr_1052.elm

      -rw-r--r-- 1 root root 2147192380 May 17 05:30 sh_1_sr_1063.elm

      -rw-r--r-- 1 root root 2147081933 Sep 22  2016 sh_1_sr_128.elm

      -rw-r--r-- 1 root root 2147468200 Nov 12  2016 sh_1_sr_255.elm

      -rw-r--r-- 1 root root 2147381451 Nov 19  2016 sh_1_sr_301.elm

      -rw-r--r-- 1 root root 2147068742 Nov 26  2016 sh_1_sr_310.elm

       

      -------------------------------------------------------------------------------- ----------------------------

       

      Help would be highly appreciated.

       

      Thanks

       

      Rohit Sharma

        • 1. Re: Restore ESM and ELM data to a new hardware.
          schrodinger

          Hello,

           

          The ESM backup file contains ERC, ACE backup, but it does not include ELM.

           

          There is a backup for ELM, restore it.

          enm.png

           

          You should also follow the steps below.

           

          1. Brought the Firmware to the old box level. (also software version)

          2. Disconnected the DAS box from the Old Hardware & Connected to the new hardware.

          3. Restore the ESM Configuration data.

          4. Wait until GUI login becomes available

          4. Reboot. (Requires reboot after restore)

          5. Restore the ELM Configuration data.

          6. Wait about 30 minutes.

          7. Reboot. (Requires reboot after restore)

           

          Regards,