|Applies to Product:||USM Appliance™||AlienVault OSSIM®|
USM Appliance uses internal caches to ensure that communication interruptions between the USM Appliance Sensor and USM Appliance Server do not result in event loss. The USM Appliance Sensor collects parsed log data using the agent_event cache, which is stored in /var/ossim/agent_events/, to ensure data consistency. If a sensor loses connectivity to the server, it will continue to write to these cache files to prevent event loss. Once the sensor reconnects, it will begin forwarding from this cache again, submitting events to the server for correlation.
USM Appliance Server, on the other hand, stores security events in two different tables:
- Event table — all security events
- Alarm table — security events associated with alarms only
The backup and restore procedure described below only affects the event table. The events in the alarm table remain unchanged, therefore they remain visible in the alarm that they are associated with.
By default, USM Appliance stores security events for up to 90 days or 40 million events. When either limit is reached, USM Appliance purges older events from the database to save disk space. You can change those limits based on how many events you receive every day. You can also filter events through policies. For instructions, see
Event backups are enabled by default. In USM Appliance version 5.4, AlienVault added a new parameter, backup_events_min_free_disk_space, to set the minimum free disk space required for event backup to take place. The default is 10%. If the free disk space on the system is less than this setting, event backup will not start.
To change any of the default values for event backups:
- From the USM Appliance web UI, go to Configuration > Administration > Main > Backup.
Change the Allowed free disk space for the SIEM backups, if desired.
Available values are 10% and 15%. Default is 10%.
Change the Number of Backup files to keep in the filesystem, if desired.
USM Appliance keeps one backup file per day for event backups. Default is 30.
Change the number of days to keep events in the database, if desired.
0 means that there are no backup for events. Default is 90.
Alternatively, change the number of events you want to keep, if desired.
0 means that there is no limit to store events in the database. Default is 40,000,000
Important: AlienVault discourages setting either limit to 0 because you may soon run out of disk space.
- Click Update Configuration.
USM Appliance backs up events every day and place the backup files in /var/lib/ossim/backup. By default, it keeps 30 backup files, which correspond to 30 days of events. You can restore the events generated on a certain day.
Important: If you are running USM Appliance version 5.6 or later, you cannot restore event backup files from an earlier version. This is due to a schema change in the SIEM database introduced in USM Appliance version 5.6, making the backup files from earlier versions incompatible.
To restore events from the USM Appliance web UI:
- Go to Configuration > Administration > Backups > Events.
Select the date you want to restore.
- Click Restore.
You can click View Backup Logs to see the latest logs concerning backups. For example:
If the Dates to Restore is empty, that means all events are already in the SIEM database. You shall see the dates listed under Dates in Database instead.