Back Up and Restore System Configuration

Applies to Product: USM Appliance™ LevelBlue OSSIM®

In USM Appliance, you can back up and restore system configurations including system profile, network configuration, inventory data, policies, plugins, correlation directives and other basic settings. You can restore the configurations on a different USM Appliance system from a backup file through the LevelBlue Console SSH management interface used to perform setup and configuration tasks for USM Appliance with options from the LevelBlue Setup menu.. You can also manage the configuration backups from the USM Appliance web user interface (UI).

Note: It is not possible to upgrade from LevelBlue OSSIM® to USM Appliance, but you can restore LevelBlue OSSIM configurations to USM Appliance or vice versa if they are the same version.

Each configuration backup file contains the following, which does not include events, alarms, or raw logs:

By default, USM Appliance backs up the system configurations at 7:00 am local time every day. These display as "Auto" under the Type column in the web UI. You can also manually run a backup at any time.

USM Appliance stores its configuration backup files locally, in the following location:

/var/alienvault/backup/configuration_<hostname>_<timestamp>.tar.gz

For example, configuration_VirtualUSMAllInOne_1429616586.tar.gz

The integer string represents epoch time, therefore, the backup with the highest number denotes the most recent one. USM Appliance maintains 10 backups on each system, based on their time stamp.

Note: LevelBlue recommends keeping a copy of the latest backup file outside of USM Appliance because you may not be able to retrieve these backup files when the system is down.

Before starting the backup, USM Appliance verifies the following:

  • No re-configuration process is running.
  • No other backup or restore processes are running.
  • Sufficient disk space exists to restore the configuration backup.

USM Appliance aborts the backup process if any of these checks fails.

Starting from version 5.2.5, USM Appliance will not generate any configuration backups, automatic or manual, until you set a password to encrypt the backup files. And you need to provide the same password to decrypt the file before a restoration.

To set up a password to encrypt the backup files

  1. In the web UI, go to Configuration > Administration > Main > Backup.

  2. In Password to encrypt backup files, type a password between 7 and 32 characters.

    Important: Do not use the following characters in your password:

    ;, |, &, $, <, >, \n, (, ), [, ], {, }, ?, *, ^, \.

  3. Click Update Configuration.

To run a backup manually

  1. In the web UI, go to Configuration > Administration > Backups > Configuration.

  2. Click Run Backup Now

    A message appears showing when the last backup was run and asking if you want to continue.

  3. Select Yes to start the backup.

    These backups display as "Manual" under the Type column.

To see any error messages in the backup logs

  1. Go to Configuration > Administration > Backups > Configuration.
  2. Click View Backup Logs.

In a federated environment, where you have USM Appliance Sensors reporting to a USM Appliance Server (child), which then reports to another USM Appliance Server (federated), keep the following in mind:

  • Each USM Appliance Server (whether a child or federated server) only triggers automatic backups of itself and directly connected sensors. In other words, the federated server does not trigger automatic backups to its child servers.
  • Each USM Appliance stores its own backup file.

You can select the child server on the federated server, but not the reverse. You can run a manual backup of the child server from the federated server by following the standard backup procedure.

To back up the child server from the federated server:

  1. Go to Configuration > Administration > Backups > Configuration.
  2. Choose which system you want to use by expanding Show Backups for.
  3. Click Run Backup Now.

You can only restore a USM Appliance system from a backup file through the LevelBlue Console.

Before running a restoration, USM Appliance verifies the following and aborts the restoration process if any of these checks fails:

  • No re-configuration process is running.
  • No other backup or restore processes are running.
  • The backup profile matches the system profile. In other words, you cannot restore a backup file from the USM Appliance Server on the USM Appliance Sensor. 

  • Backup file version is the same as the target system. In other words, you can only restore a USM Appliance version 5.4.3 backup on a system that is running USM Appliance version 5.4.3.

    Note: You can restore an LevelBlue OSSIM backup on a USM Appliance or vice versa, as long as they are the same version.

  • Sufficient disk space exists to restore the configuration backup.

Before restoring a backup file, you must transfer the file to the target system and place it in the /var/alienvault/backup/ directory. You can use either an SFTP client on Windows, such as WinSCP; or the SCP protocol on Linux.

To restore a backup file

  1. Connect to the LevelBlue Console through SSH and use your credentials to log in.

    The LevelBlue Setup menu displays.

  2. Select Maintenance & Troubleshooting.
  3. Select Backups.
  4. Select Restore configuration backup.

  5. Select the backup file you want to restore, click <OK> or press Enter.

  6. Select <Yes> to continue.

  7. Enter the password used to encrypt the backup files.

    The restoration process starts.

    After the process finishes, the system restarts automatically.

    Note: Your SSH connection will drop if the IP address of USM Appliance changes as a result of the restoration.

  8. Log in to display the LevelBlue Setup menu again.
  9. Select System Preferences.

  10. Select Reset LevelBlue API Key.

    To find out more, see Reset the AlienVault API Key.

You can manage the configuration backups on Configuration > Administration > Backups > Configuration.

The configuration backups display in a table format.

Columns / fields for configuration backups
Column / Field Name Description
System System chosen for backup
Date Date and time when the backup was run.
Backup Backup category. Currently the only category is Configuration.
Type Backup Type. Supported values are Auto and Manual.
Version Version of the USM Appliance system.
Size Size of the backup file.
Download Saves the backup file to your local machine.

By default, USM Appliance sorts the backups by their time stamps, with the latest one at the top.

To look for a backup

  • Use the search box at the upper left corner.

    Search fields are System (name or IP address), Date, or Type.

To download backups and store them locally

  1. Locate the backup you'd like to download.

  2. In the last column, click the download icon (Download icon for Backup Configuration.). 

    Sample backup file format:

    configuration_VirtualUSMAllInOne_1429616586.tar.gz

    Because the integer string represents epoch time, the backup with the highest number denotes the most recent one.

To delete one or more backups

  1. Select the backups by checking the square(s) to the left of each backup.
  2. Click the delete icon (Delete icon for Backup Configuration.) above the table towards the right.