Documentation Center
AlienVault® USM Appliance™

Back Up and Restore Alarms

Applies to Product: USM Appliance™ AlienVault OSSIM®

By default, USM Appliance stores alarms in the database until you delete them manually. To save disk space, AlienVault recommends that you delete alarms after they have been investigated or mediated, especially if the alarm is a false positive. You can also configure the alarms to expire after a certain time, then USM Appliance will purge the alarms automatically.

Alarm Backup Configuration

To configure alarm expiration:

  1. From the USM Appliance web interface, go to Configuration > Administration > Main > Backup.
  2. Change Alarms Expire to Yes.

    The Alarms Lifetime defaults to 7 (days). This value refers to the number of days to keep the alarms. 0 means that the alarms never expire.

  3. Change Alarms Lifetime to a suitable number based on your environment and your company's requirement.

  4. Configuration of the Alarms Backup

  5. Click Update Configuration.

After the alarms reach the Alarms Lifetime, USM Appliance removes them from the database every day and create a backup file in /var/lib/ossim/backup_alarm. The name of the file reads alarm_restore_yyyy-mm-dd.sql.gz.

Backing Up All the Alarms

To back up all the alarms on USM Appliance:

  1. Connect to the AlienVault Console through SSH and use your credentials to log in.

    The AlienVault Setup menu displays.

  2. On the AlienVault Setup main menu, select Jailbreak System to gain command line access.

    Select Yes when prompted. You will be in the root directory.

  3. On the command line, type the following command:

    screen

    We recommend using the screen session so that you can keep the program running even after you log out.

  4. Stop the following services so that they do not interfere with the process:

    /etc/init.d/monit stop

    /etc/init.d/ossim-server stop

    /etc/init.d/ossim-agent stop

    /etc/init.d/ossim-framework stop

    /etc/init.d/alienvault-api stop

  5. Back up the alarms:

    mysqldump -p`grep ^pass /etc/ossim/ossim_setup.conf | sed 's/pass=//'` --no-autocommit --single-transaction alienvault event extra_data idm_data otx_data backlog_event backlog alarm component_tags alarm_ctxs alarm_nets alarm_hosts | pigz > alienvault-alarms-`date +%s`.sql.gz

    Adding `date +%s` to the filename gives it a unique time stamp.

This procedure creates the alienvault-alarms-<timestamp>.sql.gz file. Transfer the file to the target system. You can use either an SFTP client on Windows, such as WinSCP; or the SCP protocol on Linux.

Restoring Alarms

You can restore all the alarms using the output file generated from the procedure above (alienvault-alarms-(timestamp>.sql.gz) or one of the daily backup files in /var/lib/ossim/backup_alarm.

Note: AlienVault recommends that you only restore the relevant alarms to avoid filling up the database.

Before following the procedure below, you should have deployed the SAME version of USM Appliance. You should have transferred the backup files to the target system and place them in the root directory.

To restore alarms

  1. Connect to the AlienVault Console through SSH and use your credentials to log in.

    The AlienVault Setup menu displays.

  2. On the AlienVault Setup main menu, select Jailbreak System to gain command line access.

    Select Yes when prompted. You will be in the root directory.

  3. On the command line, type the following command:

    screen

    We recommend using the screen session so that you can keep the program running even after you log out.

  4. Stop the following services so that they do not interfere with the process:

    /etc/init.d/monit stop

    /etc/init.d/ossim-server stop

    /etc/init.d/ossim-agent stop

    /etc/init.d/ossim-framework stop

    /etc/init.d/alienvault-api stop

  5. Restore the alarms:

    zcat alienvault-alarms-<timestamp>.sql.gz | ossim-db

  6. Restart all services for changes to apply:

    alienvault-reconfig -c -v -d