Backing Up and Restoring FortiSIEM Directories and Databases
The following topics are available:
Backing Up and Restoring SVN
FortiSIEM uses an inbuilt SVN to store network device configuration and installed software versions.
SVN Backup
The SVN files are stored in /svn
. Copy the entire directory to another location.
# cd /
# cp -r /svn /<another>/<mount>/<point>
SVN Restore
Copy the entire /svn
from the backup location and rename the directory to /svn
.
# cd /<another>/<mount>/<point>
# cp -r svn /
Backing Up and Restoring the CMDB
The FortiSIEM Configuration Management Database (CMDB) contains discovered information about devices, servers, networks and applications. You should create regular backups of the CMDB that you can use to restore it in the event of database corruption.
CMDB Backup
The database files are stored in /cmdb/data
. FortiSIEM automatically backs up this data twice daily and the backup files are stored in /data/archive/cmdb
. To perform a backup, move these files to another location. For example:
[root@SaaS-Sup cmdb] #cd /data/archive/cmdb
[root@SaaS-Sup cmdb] #cp phoenixdb* /<another>/<mount>/<point>
If your /data
disk is on an external NFS mount then your CMDB backup is already separate from the VM infrastructure.
[root@SaaS-Sup cmdb]# pwd
/data/archive/cmdb
[root@SaaS-Sup cmdb]# ls -lt
total 1213952
-rw-rw-rw- 1 root root 95559457 Apr 20 03:02 phoenixdb_2011-04-20T03-00-01
-rw-rw-rw- 1 root root 93010144 Apr 19 13:04 phoenixdb_2011-04-19T13-00-02
-rw-rw-rw- 1 root root 91142941 Apr 19 03:02 phoenixdb_2011-04-19T03-00-01
-rw-rw-rw- 1 root root 89686080 Apr 18 13:03 phoenixdb_2011-04-18T13-00-02
CMDB Restore
If your database becomes corrupted, restore it from backup by performing these steps on you Supervisor node.
- Perform a clean stop by running the following command:
systemctl stop phxctl
- Stop all processes with this phTools command:
phtools -stop all
- Wait for approximately 20 seconds for all processes to stop.
- Run
killall -9 java; killall -9 phMonitor
- Copy the latest
phoenixdb_<timestamp>
file to a directory like/tmp
on the Supervisor host. - Go to
/opt/phoenix/deployment
. - Run
db_restore /tmp/phoenixdb_<timestamp>
- When this process completes, reboot the system by running the following command:
reboot
Backing Up and Restoring the Event Database
Event Database Backup
The event data is stored in /data/eventdb
. Since this data can become very large over time, you should use a program such as rsync to incrementally move the data to another location. From version 4.2.1, the rsync program is installed on FortiSIEM by default.
Use this command to back up the eventdb.
#rsync -a --progress
/data/eventdb /<another>/<mount>/<point>
Event Database Restore
To restore eventdb there are two options:
-
Mount the directory where the event database was backed up.
-
Copy the backup to the /data/eventdb directory.
These instructions are for copying the backup to the /data/eventdb directory.
-
Stop all running processes.
#phtools --stop all -
Check that all processes have stopped.
#phstatus
You will see that these processes are still running, which is expected behavior.
These processes will continue to run, which is expected behavior:phMonitor 1-01:55:17 0 992m 540m
Apache 1-01:56:45 0 236m 9720
AppSvr 1-01:56:35 0 3908m 758m
DBSvr 1-01:57:06 0 383m 6656
-
Copy the event DB to the event DB location
/data/eventdb
If you use thecp
command, it may appear that the command has hung if there is a lot of data to copy.#cp -a /backup/eventdb /data/eventdb
Alternatively, you can use rsync and display the process status.#rsync -a --progress
/backup/eventdb /data/eventdb
-
Once complete, restart all processes.
#phtools --start all
-
Check that all processes have started.
#phstatus