Back Up and Restore Alarms

Applies to Product: USM Appliance™ LevelBlue OSSIM®

By default, USM Appliance stores alarms in the database until you delete them manually. To save disk space, LevelBlue encourages that you delete alarms after they have been investigated or mediated, especially if the alarm is a false positive. You can also configure the alarms to expire after a certain time, then USM Appliance will purge the alarms automatically. The recommendation is to store alarms for 90 days for compliance and 30 days for data forensics.

Alarm Backup Configuration

To configure alarm expiration:

  1. From the USM Appliance web interface, go to Configuration > Administration > Main > Backup.
  2. Change Alarms Expire to Yes.

    The Alarms Lifetime defaults to 0 (days), which means the alarms never expires.

  3. Change Alarms Lifetime to a suitable number based on your environment and your company's requirement. For example, 90 days for compliance or 30 days for data forensics.

    Configuration of the Alarms Backup

    Note: In new installations of USM Appliance version 5.8.6 or later, the default value for Alarms Expire is Yes and the default value for Alarms Lifetime is 90. This means that alarms older than 90 days are removed from the system.

  4. Click Update Configuration.

After the alarms reach the Alarms Lifetime, USM Appliance removes them from the database every day and create a backup file in /var/lib/ossim/backup_alarm. The name of the file reads alarm_restore_yyyy-mm-dd.sql.gz.

Backing Up All the Alarms

To back up all the alarms on USM Appliance:

  1. Connect to the LevelBlue Console through SSH and use your credentials to log in.

    The LevelBlue Setup menu displays.

  2. On the LevelBlue Setup main menu, select Jailbreak System to gain command line access.

    Select Yes when prompted. You will be in the root directory.

  3. On the command line, type the following command:

    screen

    We recommend using the screen session so that you can keep the program running even after you log out.

  4. Stop the following services so that they do not interfere with the process:

    /etc/init.d/monit stop

    /etc/init.d/ossim-server stop

    /etc/init.d/ossim-agent stop

    /etc/init.d/ossim-framework stop

    /etc/init.d/alienvault-api stop

  5. Back up the alarms:

    mysqldump -p`grep ^pass /etc/ossim/ossim_setup.conf | sed 's/pass=//'` --no-autocommit --single-transaction alienvault event extra_data idm_data otx_data backlog_event backlog alarm component_tags tag alarm_ctxs alarm_nets alarm_hosts | pigz > alienvault-alarms-`date +%s`.sql.gz

    Adding `date +%s` to the filename gives it a unique time stamp.

This procedure creates the alienvault-alarms-<timestamp>.sql.gz file. Transfer the file to the target system. You can use either an SFTP client on Windows, such as WinSCP; or the SCP protocol on Linux.

Restoring Alarms

You can restore all the alarms using the output file generated from the procedure above (alienvault-alarms-(timestamp>.sql.gz) or one of the daily backup files in /var/lib/ossim/backup_alarm.

Note: LevelBlue recommends that you only restore the relevant alarms to avoid filling up the database.

Before following the procedure below, you should have deployed the SAME version of USM Appliance. You should have transferred the backup files to the target system and place them in the root directory.

To restore alarms

  1. Connect to the LevelBlue Console through SSH and use your credentials to log in.

    The LevelBlue Setup menu displays.

  2. On the LevelBlue Setup main menu, select Jailbreak System to gain command line access.

    Select Yes when prompted. You will be in the root directory.

  3. On the command line, type the following command:

    screen

    We recommend using the screen session so that you can keep the program running even after you log out.

  4. Stop the following services so that they do not interfere with the process:

    /etc/init.d/monit stop

    /etc/init.d/ossim-server stop

    /etc/init.d/ossim-agent stop

    /etc/init.d/ossim-framework stop

    /etc/init.d/alienvault-api stop

  5. Restore the alarms:

    zcat alienvault-alarms-<timestamp>.sql.gz | ossim-db

  6. Restart all services for changes to apply:

    alienvault-reconfig -c -v -d