Back Up and Restore NetFlow Data

Applies to Product: USM Appliance™ LevelBlue OSSIM®

NetFlow is a protocol designed and published by Cisco Systems that has become the accepted industry standard for recording and transmitting information about network flows. Through LevelBlue USM Appliance you can back up and restore the information about flows in a network.

NetFlow Data Backup Configuration

To configure the backup of NetFlow data

  1. From the USM Appliance web interface, go to Configuration > Administration > Main > Backup.

  2. Set the number of days to store flows in the Active NetFlow Window field. Default is 45 days.

    NetFlow Data Configuration

  3. Click Update Configuration.

Backing Up NetFlow Data

To back up NetFlow data

  1. Connect to the LevelBlue Console through SSH and use your credentials to log in.

    The LevelBlue Setup menu displays.

  2. On the LevelBlue Setup main menu, select Jailbreak System to gain command line access.

    Select Yes when prompted. You will be in the root directory.

  3. On the command line, type the following command:

    screen

    We recommend using the screen session so that you can keep the program running even after you log out.

  4. Run the following command:

    tar czf alienvault-netflow-`date +%s`.tgz /var/nfsen /var/cache/nfdump

    Adding `date +%s` to the filename gives it a unique time stamp.

This procedure creates the alienvault-netflow-<timestamp>.tgz file. Transfer the file to the target system. You can use either an SFTP client on Windows, such as WinSCP; or the SCP protocol on Linux.

Restoring NetFlow Data

Before following the procedure below, you should have deployed the SAME version of USM Appliance. You should have transferred the backup files to the target system and place them in the root directory.

To restore NetFlow data

  1. Connect to the LevelBlue Console through SSH and use your credentials to log in.

    The LevelBlue Setup menu displays.

  2. On the LevelBlue Setup main menu, select Jailbreak System to gain command line access.

    Select Yes when prompted. You will be in the root directory.

  3. On the command line, type the following command:

    screen

    We recommend using the screen session so that you can keep the program running even after you log out.

  4. Stop the following services so that they do not interfere with the process:

    /etc/init.d/monit stop

    /etc/init.d/ossim-server stop

    /etc/init.d/ossim-agent stop

    /etc/init.d/ossim-framework stop

    /etc/init.d/alienvault-api stop

  5. Extract the backup file into the '/' directory:

    tar xvzf alienvault-netflow-<timestamp>.tgz -C /

  6. Update file permissions:

    tar tvzf alienvault-netflow-<timestamp>.tgz | tr -s ' ' > /root/file_list

    ulimit -s 65536

    cd /

    for i in `cat /root/file_list | cut -f2 -d" " | sort -u`; do user=`echo $i | cut -f1 -d"/"`; group=`echo $i | cut -f2 -d"/"`; chown $user:$group `grep $i root/file_list | cut -f6 -d" " | xargs`; done

    ulimit -s 8192

  7. Restart all services for changes to apply:

    alienvault-reconfig -c -v -d