Backing Up and Restoring FortiSIEM Directories and Databases

The following topics are available:

Backing Up and Restoring SVN

FortiSIEM uses an inbuilt SVN to store network device configuration and installed software versions.

SVN Backup

The SVN files are stored in /svn. Copy the entire directory to another location.

# cd /

# cp -r /svn /<another>/<mount>/<point>

SVN Restore

Copy the entire /svn from the backup location and rename the directory to /svn.

# cd /<another>/<mount>/<point>

# cp -r svn /

Backing Up and Restoring the CMDB

The FortiSIEM Configuration Management Database (CMDB) contains discovered information about devices, servers, networks and applications. You should create regular backups of the CMDB that you can use to restore it in the event of database corruption.

CMDB Backup

The database files are stored in /cmdb/data. FortiSIEM automatically backs up this data twice daily and the backup files are stored in /data/archive/cmdb. To perform a backup, move these files to another location. For example:

[root@SaaS-Sup cmdb] #cd /data/archive/cmdb

[root@SaaS-Sup cmdb] #cp phoenixdb* /<another>/<mount>/<point>

If your /data disk is on an external NFS mount then your CMDB backup is already separate from the VM infrastructure.

[root@SaaS-Sup cmdb]# pwd

/data/archive/cmdb

[root@SaaS-Sup cmdb]# ls -lt

total 1213952

-rw-rw-rw- 1 root root 95559457 Apr 20 03:02 phoenixdb_2011-04-20T03-00-01

-rw-rw-rw- 1 root root 93010144 Apr 19 13:04 phoenixdb_2011-04-19T13-00-02

-rw-rw-rw- 1 root root 91142941 Apr 19 03:02 phoenixdb_2011-04-19T03-00-01

-rw-rw-rw- 1 root root 89686080 Apr 18 13:03 phoenixdb_2011-04-18T13-00-02

CMDB Restore

If your database becomes corrupted, restore it from backup by performing these steps on you Supervisor node.

  1. Perform a clean stop by running the following command: 
    systemctl stop phxctl
  2. Stop all processes with this phTools command:
    phtools -stop all
  3. Wait for approximately 20 seconds for all processes to stop.
  4. Run killall -9 java; killall -9 phMonitor
  5. Copy the latest phoenixdb_<timestamp> file to a directory like /tmp on the Supervisor host.
  6. Go to /opt/phoenix/deployment.
  7. Run db_restore /tmp/phoenixdb_<timestamp>
  8. When this process completes, reboot the system by running the following command:
    reboot

Backing Up and Restoring the Event Database

Event Database Backup

The event data is stored in /data/eventdb. Since this data can become very large over time, you should use a program such as rsync to incrementally move the data to another location. From version 4.2.1, the rsync program is installed on FortiSIEM by default.

Use this command to back up the eventdb.

#rsync -a --progress /data/eventdb /<another>/<mount>/<point>

Event Database Restore

To restore eventdb there are two options:

  • Mount the directory where the event database was backed up.

  • Copy the backup to the /data/eventdb directory.

These instructions are for copying the backup to the /data/eventdb directory.

  1. Stop all running processes.
    #phtools --stop all

  2. Check that all processes have stopped.
    #phstatus

    You will see that these processes are still running, which is expected behavior.
    These processes will continue to run, which is expected behavior:

    phMonitor     1-01:55:17     0           992m         540m
    Apache        1-01:56:45     0           236m         9720
    AppSvr        1-01:56:35     0           3908m        758m
    DBSvr         1-01:57:06     0           383m         6656

  3. Copy the event DB to the event DB location /data/eventdb If you use the cp command, it may appear that the command has hung if there is a lot of data to copy.
    #cp -a /backup/eventdb /data/eventdb

    Alternatively, you can use rsync and display the process status.

    #rsync -a --progress /backup/eventdb /data/eventdb

  4. Once complete, restart all processes.
    #phtools --start all

  5. Check that all processes have started.
    #phstatus