• Support
  • Forums
  • Blogs

How to backup AV OSSIM events to another drive?

artvandelay05artvandelay05

Entry Level
Hello I community. I am trying to backup the SIEM events in OSSIM (and
the RAW logs would be nice too) to an external source. I understand
OSSIM does a backup of the database locally to the hard drive it is
installed on. I would like to make a backup of the database and save it
on an external hard drive attached to the computer, a different local
hard drive, or a file server.

I haven't found any documentation
on achieving this. In the web interface I have found the backup tab
under Administration and the backup options under Main, but neither give
me the option of where to store the backup. How can I achieve what I
want to accomplish?

Thanks community!
Tagged:

Share post:

Best Answer

  • Answer ✓
    Are you using the latest version? If so, the easiest way is probably:

    1. ssh into OSSIM, jailbreak, and run the following:

        tar cvzf raw-logs.tgz /var/ossim/logs

    2. on your Windows desktop, using an FTP tool, e.g. WinSCP, connect to OSSIM and transfer the raw-logs.tgz file to your network share.


Answers

  • The RAW logs are just flat files, and they are stored at /var/ossim/logs. You can simply archive them yourself. 

    The SIEM events are stored in the alienvault_siem database. You can run mysqldump to back it up. Something similar to this:

    mysqldump -p`grep ^pass /etc/ossim/ossim_setup.conf | sed 's/pass=//'` --no-autocommit --single-transaction --databases alienvault_siem | gzip > alienvault_siem.sql.gz




  • Thank you for the answer whuang.  Do I run the mentioned commands at the CLI of the Alienvault OSSIM computer?  When I login to the CLI interface, I see an option to jailbreak.  Will I have to jailbreak OSSIM to run the mentioned commands?
  • Yes, you will have to jailbreak.
  • ok. Where do I go from there? I know I will be at a CLI.  I don't know bash very well at all.  What are the steps to copy the RAW logs to a network share in a windows environment?
  • whuang!  Thank you very much.  I did not think of FTP.  FTP exposed the directory of OSSIM and now I can get backups going.  I appreciate you answers (and patience!) very much.
Sign In or Register to comment.