Migrate Your USM Appliance Deployment

Applies to Product: USM Appliance™ LevelBlue OSSIM®

In some scenarios, such as disaster recovery, upgrades, or platform changes, you may choose to move your deployed USM Appliance to a new platform or deployment.

You need to apply a new license when migrating from one USM Appliance hardware to another, such as a RMA. The replacement license key will be provided when the new hardware ships.

If you are migrating from a USM Appliance hardware to a virtual machine, or from one virtual platform to another (VMware to Hyper-V or VMware to AWS), the license may only need to be reset. In such cases you can contact LevelBlue Support to obtain the appropriate image, and have your license reset so that it can be applied to the new installation.

Migrating your USM Appliance deployment consists of two tasks:

USM Appliance does not provide a tool to back up the system as a whole. You need to back up your data and system configurations separately, and then transfer them to the other USM Appliance deployment for restoration.

To back up your USM Appliance deployment

  1. Generate a configuration backup from the web UI. For instructions, see Backing Up Configurations.

    Note: You need to perform the following steps from the command line, through the LevelBlue Console.

  2. Connect to the LevelBlue Console through SSH and use your credentials to log in.

    The LevelBlue Setup menu displays.

  3. On the LevelBlue Setup main menu, select Jailbreak System to gain command line access.

    Select Yes when prompted. You will be in the root directory.

  4. On the command line, type the following command:

    screen

    We recommend using the screen session so that you can keep the program running even after you log out.

  5. Stop the following services so that they do not interfere with the process:

    /etc/init.d/monit stop

    /etc/init.d/ossim-server stop

    /etc/init.d/ossim-agent stop

    /etc/init.d/ossim-framework stop

    /etc/init.d/alienvault-api stop

  6. Back up the alarms:

    mysqldump -p`grep ^pass /etc/ossim/ossim_setup.conf | sed 's/pass=//'` --no-autocommit --single-transaction alienvault event extra_data idm_data otx_data backlog_event backlog alarm component_tags tag alarm_ctxs alarm_nets alarm_hosts | pigz > alienvault-alarms-`date +%s`.sql.gz

    Adding `date +%s` to the filename gives it a unique time stamp.

  7. Back up the events:

    Note: The example below illustrates how to transfer files from USM Appliance to a machine on your network. If you have the new USM Appliance instance already deployed, you can transfer the files to the new system directly.

    This step involves two parts:

    1. Back up the events in the database:

      mysqldump -p`grep ^pass /etc/ossim/ossim_setup.conf | sed 's/pass=//'` --no-autocommit --single-transaction --databases alienvault_siem | pigz > alienvault-events-`date +%s`.sql.gz

      Adding `date +%s` to the filename gives it a unique time stamp.

    2. Using the rsync protocol, transfer the old events to the destination:

      Syntax:

      rsync -av --progress /src_folder_path <username>@<dest_ip_address>:<dest_folder_path>

      Example:

      rsync -av --progress /var/lib/ossim/backup root@10.10.10.10:/var/lib/ossim

      Important: Leave out the trailing slash ('/') on the source so that the corresponding directory will be created at the destination.

  8. Back up MongoDB:

    1. Back up the MongoDB database and create the dump directory:

      mongodump --host localhost

    2. Compress the file:

      tar cvfz alienvault-mongodb-`date +%s`.tgz dump

      Adding `date +%s` to the filename gives it a unique time stamp.

    3. Remove the dump directory:

      rm -rf ./dump

  9. Back up NetFlow Data, if using:

    tar czf alienvault-netflow-`date +%s`.tgz /var/nfsen /var/cache/nfdump

    Adding `date +%s` to the filename gives it a unique time stamp.

  10. Back up the Raw Logs:

    Note: The example below illustrates how to transfer files from USM Appliance to a machine on your network. If you have the new USM Appliance instance already deployed, you can transfer the files to the new system directly.

    For efficiency, use the rsync protocol to transfer the raw logs to the destination:

    Syntax:

    rsync -av --progress /src_folder_path <username>@<dest_ip_address>:<dest_folder_path>

    Example 1: Transferring raw logs of March 2017

    rsync -av --progress /var/ossim/logs/2017/03 root@10.10.10.10:/var/ossim/logs/2017

    Example 2: Transferring all raw logs of 2017

    rsync -av --progress /var/ossim/logs/2017 root@10.10.10.10:/var/ossim/logs

    Important: Leave out the trailing slash ('/') on the source so that the corresponding directory will be created at the destination.

  11. At this step, you have produced the following files:

    /root/alienvault-alarms-<timestamp>.sql.gz

    /root/alienvault-events-<timestamp>.sql.gz

    /root/alienvault-mongodb-<timestamp>.tgz

    /root/alienvault-netflow-<timestamp>.tgz

    You should also have a file similar to below generated by the configuration backup:

    /var/alienvault/backup/configuration_<hostname>_<timestamp>.tar.gz

  12. Transfer all backup files to your new USM Appliance deployment or an interim system. You can use either an SFTP client on Windows, such as WinSCP; or the SCP protocol on Linux.

Before following the procedure below, you should have deployed the SAME version of USM Appliance. You should have transferred the backup files to the target system and place them in the root directory.

Important: If you are restoring USM Appliance to a different platform such as from VMware to Hyper-V, you must acquire a new license. Please contact LevelBlue Support for your request.

To restore your USM Appliance deployment

  1. Connect to the LevelBlue Console through SSH and use your credentials to log in.

    The LevelBlue Setup menu displays.

  2. On the LevelBlue Setup main menu, select Jailbreak System to gain command line access.

    Select Yes when prompted. You will be in the root directory.

  3. On the command line, type the following command:

    screen

    We recommend using the screen session so that you can keep the program running even after you log out.

  4. Stop the following services so that they do not interfere with the process:

    /etc/init.d/monit stop

    /etc/init.d/ossim-server stop

    /etc/init.d/ossim-agent stop

    /etc/init.d/ossim-framework stop

    /etc/init.d/alienvault-api stop

  5. Restore the alarms:

    zcat alienvault-alarms-<timestamp>.sql.gz | ossim-db

  6. Restore the events:

    1. Restore events into the database:

      zcat alienvault-events-<timestamp>.sql.gz | ossim-db

    2. If not done already, use the rsync protocol to transfer the event backup files to /var/lib/ossim directory.

    3. Change permission on event backup files:

      chown root:alienvault /var/lib/ossim/backup

      chown root:root /var/lib/ossim/backup/*

  7. Restore MongoDB:

    1. Extract the file:

      tar xvzf alienvault-mongodb-<timestamp>.tgz

    2. Restore the backup file

      mongorestore --db inventory dump/inventory

    3. Remove the dump directory:

      rm -rf ./dump

  8. Restore NetFlow data, if using:

    1. Extract the backup file into the '/' directory:

      tar xvzf alienvault-netflow-<timestamp>.tgz -C /

    2. Update file permissions:

      tar tvzf alienvault-netflow-<timestamp>.tgz | tr -s ' ' > /root/file_list

      ulimit -s 65536

      cd /

      for i in `cat /root/file_list | cut -f2 -d" " | sort -u`; do user=`echo $i | cut -f1 -d"/"`; group=`echo $i | cut -f2 -d"/"`; chown $user:$group `grep $i root/file_list | cut -f6 -d" " | xargs`; done

      ulimit -s 8192

  9. Restore Raw Logs:

    1. If not done already, use the rsync protocol to transfer the raw logs to /var/ossim/logs directory.

    2. Change ownership for raw logs.

      Using "Example 2: Transferring all raw logs of 2017" from the backup steps above, type

      chown -R www-data:alienvault /var/ossim/logs/searches

      chown -R avserver:alienvault /var/ossim/logs/2017

    3. Change permission for raw logs.

      Using "Example 2: Transferring all raw logs of 2017" from the backup steps above, type

      chmod -R 775 /var/ossim/logs/2017

  10. Restore system configurations:

    1. Copy or move the configuration backup file to the /var/alienvault/backup directory.
    2. Type exit and then press Enter to return to the LevelBlue Setup menu.
    3. Select Maintenance & Troubleshooting.
    4. Select Backups.
    5. Select Restore configuration backup.

    6. Select the backup file you want to restore, click <OK> or press Enter.

    7. Select <Yes> to continue.

    8. Enter the password used to encrypt the backup files.

      The restoration process starts.

      After the process finishes, the system restarts automatically.

      Note: Your SSH connection will drop if the IP address of USM Appliance changes as a result of the restoration.

    9. Log in to display the LevelBlue Setup menu again.
    10. Select System Preferences.

    11. Select Reset LevelBlue API Key.

      To find out more, see Reset the AlienVault API Key.

  11. Return to the LevelBlue Setup main menu, select Reboot Appliance, click <OK> or press Enter.