2 Replies Latest reply on Feb 12, 2015 4:06 PM by pepelepuu

    Configure Backup/Restore of ESM Data and Configuration(s)?

    nitron00b

      Community,

       

      First things first, I appreciate any help you can spare in answering the questions below. It really does make a difference!

      OUR CURRENT CONFIGURATION attached.

       

       

      I'm trying to configure Backup & Restore to ensure we don't suffer from any data loss / or configuration loss in the event our data center or ESM goes boom I'm a little confused on some of the settings. To add complexity, we also have an ELM and lots of SAN storage.


           1. What is the difference between the (Events) and (Event Logs)?

          2.  If I only backed up the (ESM settings), and we suffered an ESM meltdown. Would a recovery of the (ESM settings)

                to a new ESM restore: data sources, rules, custom rules, alarms, views, zone configurations, asset sources, system profiles, etc...?

           3. If I were to restore from a (Full backup of data), then would all the Event Summary's, Flow Summary's, Flow Distributions, Restore?

           4. When a (Full backup of data) is done, is there any compression on that data?

           5.  Is there a good way of estimating how much space to allocate for a remote full backup?

           6.  Backup location options for remote locations are: CIFS or NFS, I assume a CIFS or NFS share can be setup on a SAN?

           7.  When a (Full backup of data) is done, does that include the ESM database, active partitions, inactive partitions?

           8.  Does it make sense to still conduct Full backups of data when we have an ELM, (seems redundant)?

           9.  I'm a bit confused on the relationships between:

        • System Properties>System Information>Backup and Restore
        • System Properties>Database>Archival
        • System Properties>Database>Data Storage

           10.  Is there a recommendation on sizing inactive partitions?

        • 1. Re: Configure Backup/Restore of ESM Data and Configuration(s)?
          pepelepuu

          nitron00b

          Q.  What is the difference between the (Events) and (Event Logs)?

          A. These are actually tables, in the SIEM database that have their own separate retention policies etc. In general, best practice dictates that you at a minimum backup the Events, and events logs. You'd want to have these available for reference during cause analysis activities. I believe they are Alerts, Connections and uhhh. Can't remember the other one.


          Q.  If I only backed up the (ESM settings), and we suffered an ESM meltdown. Would a recovery of the (ESM settings)

                    to a new ESM restore: data sources, rules, custom rules, alarms, views, zone configurations, asset sources, system profiles, etc...?

          A. Yes, theoretically. However, in a lab environment, I've had to re-key all the devices after restoring. 

                   Note: A standard backup saves all configuration settings, including those for policy. When you add a new ESM device, Backup & Restore is enabled to backup every 7 days. You can back up events, flows, and logs received by the system. The first backup of event, flow, or log data saves only data from the start of the current day. Subsequent backups save data starting at the time of the last backup.

          • 2. Re: Configure Backup/Restore of ESM Data and Configuration(s)?
            pepelepuu

            Amending to previous post:

            You should also add to your maintenance tasks, "Exporting your DataSources". As a foot note, all datasources are defined in a file named thirdparty.conf with the following format for each datasource:

            # Data source configuration for ERC-2600

            # Applied: 02/12/2015 18:20:19

            # ESM:

            # ESM buildstamp: 9.4.2 20150127184901

            # Receiver:

            # Receiver buildstamp: 9.4.2 20150127184901

             

             

            [DataSource Name Displayed in ESM System Tree]

            id=2

            ipsid=144182258301927424

            created=1387472852

            # Windows Event Log - WMI

            type=43

            type_orig=43

            disabled=no

            ip_address=192.168.1.8

            collector=wmi

            parser=wmi

            protocol=wmi

            elm_logging=yes

            parsing=yes

            hostname=server01.joeslab

            pool=ELM-StoragePoolNAme

            use_rpc=no

            wmi_interval=600

            wmi_logs=Active Directory Web Services,Application,DFS Replication,Directory Service,DNS Server,HardwareEvents,Internet Explorer,Key Management Service,Security,System,Windows PowerShell

            wmi_password=U2FsdGVkX18ODYjiC0auJuCOOPTvolWePm+NonX01kRUzi6FS0c7Iw==

            wmi_username=daminname\ServiceAcct

            wmi_version=0

            device_status_traps=no

            override=


            Q  If I were to restore from a (Full backup of data), then would all the Event Summary's, Flow Summary's, Flow Distributions, Restore?

            A. Yes. All of these are essentially database tables.

             

            Q.When a (Full backup of data) is done, is there any compression on that data?

            A. Yes, not certain about the ratio.

             

            Q. Is there a good way of estimating how much space to allocate for a remote full backup?

            A. No, because that is dependent on too many variables, Speak with your SAN or storage engineers as well.

             

            Q. Backup location options for remote locations are: CIFS or NFS, I assume a CIFS or NFS share can be setup on a SAN?

            A. Yes

             

            Q. When a (Full backup of data) is done, does that include the ESM database, active partitions, inactive partitions?

            A. Yes and No. Yes, to all active data. No because, When an active partition reaches its maximum size, it becomes

            inactive and is deleted.

             

            Q. Does it make sense to still conduct Full backups of data when we have an ELM, (seems redundant)?

            A. Yes. They are two completely different things. The ELM holds RAW, unparsed data. The data on an ESM is "Relational" and parsed.

             

            Q. I'm a bit confused on the relationships between:

              ○ System Properties>System Information>Backup and Restore

              ○ System Properties>Database>Archival

              ○ System Properties>Database>Data Storage

            A. The relationship is

            ○ Backup & Restores - Tell the system how and where to backup, and where to find backups for restoring

            ○ Archival - Tell ESM how, and where to store archived data, and also where or not you want archived data to be included in views.

            ○ Data Storage - The easiest explanation is to say "Data Connections". For example, If you has a DAS (Directly Attached Storage), SAN connection, or iSCSI storage devices, you might have active partitions configured on to the DAS, backup to the SAN and store archive  on the isci

             

            Q.  Is there a recommendation on sizing inactive partitions?

            A. Not really. It depends on the environment, and configuration. Note this can affect queries, as this ultimately states how much data to keep on hand, or on the system before archiving. When you open a view and define a time period of say "All", it will query data on the system AND Archived data. You type of connection to external storage contributes to this decision as well.

             

             

            Hope this helps!

            PePeLePuu

            The Dancing Engineer!!!!