Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Restore JSA Configurations and Data

Restoring a backup archive is useful if you want to restore previously archived configuration files, offense data, and asset data on your JSA system.

Before you restore a backup archive, note the following considerations:

  • You can restore only a backup archive that is created within the same release of software and its software update level. For example, if you are running JSA 7.5.0 update package, make sure that , the backup archive is cretaed on the JSA 7.5.0 update package Console.

  • The restore process restores only your configuration information, offense data, and asset data. For more information, see "Restoring Data".

  • If the backup archive originated on a NATed Console system, you can restore only that backup archive on a NATed system.

  • You cannot complete a configuration restore on a console in which the IP address matches the IP address of a managed host in the backup.

If possible, before you restore a configuration backup, run an on demand backup to preserve the current environment. The following description is a high-level view of the configuration restore process:

  • Tomcat is shut down

  • All system processes are shut down.

  • All files are extracted from the backup archive and restored to disk.

  • Database tables are restored.

  • All system processes are restored.

  • Tomcat is restarted.

For more information about how to backup or restore an archive, see the following topics:

  • Restoring a Backup Archive

  • Restoring a Backup Archive Created on a Different JSA System

  • Restoring Data

  • Verifying Restored Data

  • Retrieving Backup Files Missing from the Disk

  • WinCollect Files are not Restored During a Configuration Restore

Note:

If you are restoring WinCollect data, you must install the WinCollect SFS that matches the version of WinCollect in your backup before you restore the configuration. For more information, see WinCollect Files are not Restored During a Configuration Restore" .

Restoring a Backup Archive

You can restore a backup archive. Restoring a backup archive is useful if you have a system hardware failure or you want to restore a backup archive on a replacement appliance.

You can restart the Console only after the restore process is complete.

The restore process can take up to several hours; the process time depends on the size of the backup archive that must be restored. When complete, a confirmation message is displayed.

A window provides the status of the restore process. This window provides any errors for each host and instructions for resolving the errors.

The following parameters are available in the Restore a Backup window:

Table 1: Restore a Backup Parameters

Parameter

Description

Name

The name of the backup archive.

Description

The description, if any, of the backup archive.

Type

The type of backup. Only configuration backups can be restored, therefore, this parameter displays config.

Select All Configuration Items

When selected, this option indicates that all configuration items are included in the restoration of the backup archive.

Restore Configuration

Lists the configuration items to include in the restoration of the backup archive. To remove items, you can clear the check boxes for each item you want to remove or clear the Select All Configuration Items check box.

Select All Data Items

When selected, this option indicates that all data items are included in the restoration of the backup archive.

Restore Data

Lists the configuration items to include in the restoration of the backup archive. All items are cleared by default. To restore data items, you can select the check boxes for each item you want to restore.

  1. On the navigation menu (), click Admin.

  2. In the System Configuration section, click Backup and Recovery.

  3. Select the archive that you want to restore.

  4. Click Restore.

  5. On the Restore a Backup window, configure the parameters.

    Select the Custom Rules Configuration check box to restore the rules and reference data that is used by apps. Select the Users Configuration check box to restore authorized tokens that are used by apps.

    The following table lists the restore configurations and what is included in each:

    Note:

    The content included in each configuration is not limited to the content that is listed.

    Restore Configuration

    Content Included

    Custom Rules Configuration

    • Rules

    • Reference Sets

    • Reference Data

    • Saved Searches

    • Forwarding Destinations

    • Routing Rules

    • Custom Properties

    • Historical Searches

    • Historical Rules

    • Retention Bucket Configuration

    Deployment Configuration

    All content.

    If you select this option, it is recommended that you select all other configuration options.

    Users Configuration

    • Users

    • User Roles

    • Security Profiles

    • Authorized Services

    • Dashboards

    • User Settings

    • User Quick Searches

    License

    • License keys

    • License Pool Allocations

    • License history

    Report Templates

    Report templates

    This does not include generated report content.

    System Settings

    • System Settings

    • Asset Profiler Configuration

    QVM Scan profiles and results

    QVM Scan profiles and results

    Installed Applications Configuration

    App configurations

    This does not include app data.

    Apps depending on authorized services might not work as expected if Users Configuration is not selected.

    When Installed Applications Configuration is selected, the Deployment Configuration group is auto-selected.

    Assets

    Asset model

    When Assets is selected, the Deployment Configuration group is auto-selected.

    Offenses

    • Offense data

    • Offense associations (for example, QID links, rule links, or asset links)

    • Offense searches

    Note:

    When Offenses is selected, the Deployment Configuration group is auto-selected.

  6. Click Restore.

  7. Click OK.

  8. Click OK.

  9. Choose one of the following options:

    • If the user interface was closed during the restore process, open a web browser and log in to JSA.

    • If the user interface was not closed, the login window is displayed. Log in to JSA.

  10. Follow the instructions on the status window.

After you verify that your data is restored to your system, ensure that your DSMs, vulnerability assessment (VA) scanners, and log source protocols are also restored.

If the backup archive originated on an HA cluster, you must click Deploy Changes to restore the HA cluster configuration after the restore is complete. If disk replication is enabled, the secondary host immediately synchronizes data after the system is restored. If the secondary host was removed from the deployment after a backup, the secondary host displays a failed status on the System and License Management window.

Restoring a Backup Archive Created on a Different JSA System

Each backup archive includes the IP address information of the system where it was created. When you restore a backup archive from a different JSA system, the IP address of the backup archive and the system that you are restoring are mismatched. You can correct the mismatched IP addresses.

You can restart the Console only after the restore process is complete. The restore process can take up to several hours; the process time depends on the size of the backup archive that must be restored. When complete, a confirmation message is displayed.

A window provides the status of the restore process, and provides any errors for each host and instructions for resolving the errors.

  1. On the navigation menu (), click Admin.

  2. In the System Configuration section, click Backup and Recovery.

  3. Select the archive that you want to restore, and click Restore.

  4. On the Restore a Backup window, configure the following parameters and then click Restore.

    Table 2: Restore a Backup Parameters

    Parameter

    Description

    Select All Configuration Items

    Indicates that all configuration items are included in the restoration of the backup archive. This check box is selected by default.

    Restore Configuration

    Lists the configuration items to include in the restoration of the backup archive. All items are selected by default.

    Select All Data Items

    Indicates that all data items are included in the restoration of the backup archive. This check box is selected by default.

    Restore Data

    Lists the configuration items to include in the restoration of the backup archive. All items are cleared by default.

  5. Stop the table service on each managed host in your deployment. The IP tables is a Linux based firewall.

    1. Using SSH, log in to the managed host as the root user.

    2. For App Host, type the following commands:

      • systemctl stop docker_iptables_monitor.timer

      • systemctl stop iptables

    3. For all other managed hosts, type the following command:

      service iptables stop

    4. Repeat for all managed hosts in your deployment.

  6. On the Restore a Backup window, click Test Hosts Access.

  7. After testing is complete for all managed hosts, verify that the status in the Access Status column indicates a status of OK.

  8. If the Access Status column indicates a status of No Access for a host, stop iptables again, and then click Test Host Access again to attempt a connection.

  9. On the Restore a Backup window, configure the parameters.

    Note:

    By selecting the Installed Applications Configuration checkbox, you restore the install app configurations only. Extension configurations are not restored. Select the Deployment Configuration checkbox if you want to restore extension configurations.

  10. Click Restore.

  11. Click OK.

  12. Click OK to log in.

  13. Choose one of the following options:

    • If the user interface was closed during the user restore process, open a web browser and log in to JSA.

    • If the interface was not closed, the login window is displayed. Log in to JSA.

  14. View the results of the restore process and follow the instructions to resolve any errors.

  15. Refresh your web browser window.

  16. From the Admin tab, select Advanced >Deploy Full Configuration.

    Note:

    JSA continues to collect events when you deploy the full configuration. When the event collection service must restart, JSA does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.

  17. To enable the IP tables for an App Host, type the following command:

    systemctl start docker_iptables_monitor.timer

After you verify that your data is restored to your system, you must reapply RPMs for any DSMs, vulnerability assessment (VA) scanners, or log source protocols.

If the backup archive originated on an HA cluster, you must click Deploy Changes to restore the HA cluster configuration after the restore is complete. If disk replication is enabled, the secondary host immediately synchronizes data after the system is restored. If the secondary host was removed from the deployment after a backup, the secondary host displays a failed status on the System and License Management window.

Restoring Data

You can restore the data on your JSA Console and managed hosts from backup files. The data portion of the backup files includes information such as source and destination IP address information, asset data, event category information, vulnerability data, flow data, and event data.

Each managed host in your deployment, including the JSA console, creates all backup files in the /store/backup/ directory. Your system might include a /store/backup mount from an external SAN or NAS service. External services provide long term, offline retention of data, which is commonly required for compliancy regulations, such as PCI.

Note:

If you are restoring data on a new JSA Console, the configuration backup must be restored before you restore the data backup.

Ensure that the following conditions are met:

  • You know the location of the managed host where the data is backed up.

  • If your deployment includes a separate mount point for that volume, the /store or /store/ariel directory has sufficient space for the data that you want to recover.

  • You know the date and time for the data that you want to recover.

  • If your configuration has been changed, before you restore the data backup, you must restore the configuration backup.

  1. Use SSH to log in to JSA as the root user.

  2. Go to the /store/backup directory.

  3. To list the backup files, type the following command:

    ls -l

  4. If backup files are listed, go to the root directory by typing the following command:

    cd /

    Note:

    The restored files must be in the /store directory. If you type cd instead of cd /, the files are restored to the /root/store directory.

  5. To extract the backup files to their original directory, type the following command:

    tar -zxpvPf /store/backup/backup.name.hostname_hostID .target date.backup type.timestamp.tgz

    Table 3: Description Of File Name Variables

    File name variable

    Description

    name

    The name of the backup.

    hostname_hostID

    The name of the JSA system that hosts the backup file followed by the identifier for the JSA system.

    target date

    The date that the backup file was created. The format of the target date is day_month_year.

    backup type

    The options are data or config.

    timestamp

    The time that the backup file was created.

Daily backup of data captures all data on each host. If you want to restore data on a managed host that contains only event or flow data, only that data is restored to that host. If you want to maintain the restored data, increase your data retention settings to prevent the nightly disk maintenance routines from deleting your restored data.

Verifying Restored Data

Verify that your data is restored correctly in JSA.

  1. To verify that the files are restored, review the contents of one of the restored directories by typing the following command:

    cd /store/ariel/flows/payloads/<yyyy/mm/dd>

    cd /store/ariel/events/payloads/<yyyy/mm/dd>

    You can view the restored directories that are created for each hour of the day. If directories are missing, data might not be captured for that time period.

  2. Verify that the restored data is available.

    1. Log in to the JSA interface.

    2. Click the Log Activity or Network Activity tab.

    3. Select Edit Search from the Search list on the toolbar.

    4. In the Time Range pane of the Search window, select Specific Interval.

    5. Select the time range of the data you restored and then click Filter.

    6. View the results to verify the restored data.

    7. If your restored data is not available in the JSA interface, verify that data is restored in the correct location and file permissions are correctly configured.

      Restored files must be in the /store directory. If you typed cd instead of cd / when you extracted the restored files, check the /root/store directory for the restored files. If you did not change directories before you extracted the restored files, check the /store/backup/store directory for the restored files.

      Typically, files are restored with the original permissions. However, if the files are not owned by the root user account, issues might occur. The correct ownership of directories and files in /store/ ariel/events/payloads and /store/ariel/flows/payloads is root:root. If the files and folders do not have the correct ownership, change the ownership by using the chown command.

      The correct permissions of directories and files in /store/ariel/events/payloads and / store/ariel/flows/payloads is 755 for folders, and 644 for files. If the files and folders do not have the correct permissions, change the permissions by using the chmod command.

After you verified that your data is restored, you must complete an auto update in JSA. The auto update ensures DSMs, vulnerability assessment (VA) scanners, and log source protocols are at the latest version.

Retrieving Backup Files Missing from the Disk

When the backup files are missing from the disk, the respective backup table entry on the Backup and Recovery page is marked with an exclamation icon to show that the file is not retrievable. Files that are missing cannot be downloaded or restored. This issue can occur when you are using external storage that is no longer available, or is offline.

  1. On the Admin tab, click Backup and Recovery.

  2. If the external storage is offline or no longer available, delete the table entry by using the Delete option at the top of the Backup and Recovery page.

    Note:

    If you are not expecting this behavior and are using external storage for your backup archive location, investigate whether the storage system is still accessible. If it is offline, and you are able to restore the directory, the indicator icons are automatically updated and removed when the system detects the restored files.

  3. On the Backup and Recovery page, click Configure and take note of the Backup Repository Path.

  4. Log out of JSA and log back in to ensure that the files are again accessible by fixing the external mount or restoring missing files to the appropriate backup location.

  5. Refresh the Backup and Recovery page to synchronize the backups.

WinCollect Files are not Restored During a Configuration Restore

When you complete a configuration restore and some WinCollect files are not restored, it might be because the installation ISO contains a previous version of WinCollect.

The JSA ISO contains a built-in version of WinCollect. When you restore by using that ISO, it deploys the WinCollect files that are stored in that ISO, rather than the files from your backup.

To remedy this issue, you must install the WinCollect SFS that matches the version of WinCollect in your backup before you restore the configuration. Perform the following tasks in this order:

  • Perform JSA backup.

  • Bring new hardware online and deploy the ISO.

  • Install the WinCollect SFS that matches the version of WinCollect in your backup on the Console.

  • Restore the configuration backup.

The appropriate WinCollect files are deployed with the configuration restore.

Related Documentation