Back Up and Restore Raw Logs

Applies to Product: USM Appliance™ AlienVault OSSIM®

By default, USM Appliance stores raw logs in the file system until they are deleted. AlienVault recommends that you export these files to an offline persistent storage site periodically and remove them from USM Appliance manually. You can also configure the raw logs to expire after a certain time so USM Appliance can purge them from the system automatically.

Raw Logs Backup Configuration

To configure the expiration of raw logs:

  1. From the USM Appliance web interface, go to Configuration > Administration > Main > Backup.

  2. Change Logger Expiration to Yes.

    The Active Logger Windows defaults to 365 (days). This value refers to the number of days to keep the logs. 0 means that the logs never expire.

  3. Change Active Logger Window to a suitable number based on your environment and your company's requirement.

    Configuration of the Raw Logs Backup

  4. Click Update Configuration.

Backing Up Raw Logs

USM Appliance store raw logs in /var/ossim/logs and organizes them in this order: year, month, day, hour (UTC), and USM Appliance Sensor IP. For example, to find the raw logs reported by sensor 192.168.73.159 at 10 o'clock on August 5, 2016, go to /var/ossim/logs/2016/08/05/10/192.168.73.159.

To back up raw logs

  1. Connect to the AlienVault Console through SSH and use your credentials to log in.

    The AlienVault Setup menu displays.

  2. On the AlienVault Setup main menu, select Jailbreak System to gain command line access.

    Select Yes when prompted. You will be in the root directory.

  3. On the command line, type the following command:

    screen

    We recommend using the screen session so that you can keep the program running even after you log out.

  4. For efficiency, use the rsync protocol to transfer the raw logs to the destination:

    Syntax:

    rsync -av --progress /src_folder_path <username>@<dest_ip_address>:<dest_folder_path>

    Example 1: Transferring raw logs of March 2017

    rsync -av --progress /var/ossim/logs/2017/03 root@10.10.10.10:/var/ossim/logs/2017

    Example 2: Transferring all raw logs of 2017

    rsync -av --progress /var/ossim/logs/2017 root@10.10.10.10:/var/ossim/logs

    Important: Leave out the trailing slash ('/') on the source so that the corresponding directory will be created at the destination.

The raw logs should be transferred to the destined machine, in this case, 10.10.10.10, and store in the /var/ossim/logs directory.

Purging Raw Logs

After backing up the raw logs and transferring them to an external storage, you need to remove them from USM Appliance manually.

To remove raw logs

  1. Connect to the AlienVault Console through SSH and use your credentials to log in.

    The AlienVault Setup menu displays.

  2. Select Maintenance & Troubleshooting.
  3. Select Maintain Disk and Logs.
  4. Select Purge Logger Data.
  5. Select Delete logger entries older than a date.

  6. Enter a data in the YYYY/MM/DD format then press Enter <OK>.

    USM Appliance will delete any raw logs older than the date specified.

Restoring Raw Logs

Before following the procedure below, you should have deployed the SAME version of USM Appliance. You should have transferred the backup files to the target system and place them in the root directory.

You can also restore raw logs that were archived and purged from the same USM Appliance instance in the past.

To restore raw logs

  1. Connect to the AlienVault Console through SSH and use your credentials to log in.

    The AlienVault Setup menu displays.

  2. On the AlienVault Setup main menu, select Jailbreak System to gain command line access.

    Select Yes when prompted. You will be in the root directory.

  3. On the command line, type the following command:

    screen

    We recommend using the screen session so that you can keep the program running even after you log out.

  4. If not done already, use the rsync protocol to transfer the raw logs to /var/ossim/logs directory.

  5. Change ownership for raw logs.

    Using "Example 2: Transferring all raw logs of 2017" from the backup steps above, type

    chown -R www-data:alienvault /var/ossim/logs/searches

    chown -R avserver:alienvault /var/ossim/logs/2017

  6. Change permission for raw logs.

    Using "Example 2: Transferring all raw logs of 2017" from the backup steps above, type

    chmod -R 775 /var/ossim/logs/2017