Database Backup Folder - /var/lib/ossim/backup/


Big Time
Hey Experts,

I would like to know a bit more about the files stored in the /var/lib/ossim/backup/ folder.

From my understanding there are 4 types of files:
  • delete files: Are these the delete queries executed during the backup process to clear the database? Why are they stored?
  • Insert files: Are these the insert files created for ossim to use in case of a restore? Are they essencial for the restore to work?
  • If there is an update that changes the database arquitecture, are these files updated?
I am asking because I´ve been asked here at work to maintain database backups for 5 years. I was thinking about useing the Netbackup system to do this but it would move these files to a separate server and would not be accessable by ossim and I do not know if this would cause any impact on the OSSIM backup/restoration process.

Thanks a lot!


  • Buddies, any idea on this?

    Can I backup the database files without  harming the restoration process by "moving" them to another server?

    Tks again!

  • edited March 2014
    • The delete queries are what happen when you select a date under Dates in Database and click the purge button. It essentially runs the sql file within that tar.gz file.
    • Insert is selecting the date(s) under Dates to Restore, and click the restore button. The insert files contain all SIEM data for the pertinent day.
    • The ossim-backup logs are the alienvault configuration settings.. essentially everything under the alienvault table. If for some reason you need to restore your server from scratch, you would do a complete reinstall with the exact same version, and restore the latest ossim-backup to the database. This will restore things like correlation directives, custom reports, etc. On another note; you can tell that these backups are succeeding by watching the Backup System Logs window on the right.
    With all that said, you can safely move the files and move them back if you need to restore. Alienvault actually queries the folder that the backup files are in to see what data you can restore. This means, if you remove something, it's no longer on the screen. If you add it back and refresh, you'll see them again.


  • Hi HawtDog,
    can you additionally explain when the /var/lib/ossim/backup_alarm/alarm_restore* backups are used?
    Or are they only generated for manual alarm restoration ? (v4.15.2)
