ArcSight Logger configuration backup and restoration

With your ArcSight Logger L750MB you have maybe create some particular settings, some groups with associated users, filters, saved searches, customized report queries, report templates and dashboards. It is important to have regulate backups of all these stuffs. This blog post, will explain you on how to setup “One time only” and “Scheduled” backup of your ArcSight Logger configuration.

An important thing to know is that “Configuration Backup don’t include backup of the received events.

Configuration Backup” can only be made on a different host than the Logger and only by SSH SCP. So you will need to have a system user on a server how has a valid SSH connexion, also you will need to create a folder in this user home directory in order to receive the “tar.gz” backup file. In our example this folder will be named “backup“.

One time only” or “Scheduled” configuration backup

To configure an “One time only” or a “Scheduled” backup you will to log in the Logger Web administration and go in the “Configuration -> Configuration Backup” menu.

Edit the existing “Configuration backup” entry by clicking on the edit button and complete the fields.

Port : The port on which the SSH server is listening (by default 22)
IP/Host : IP address or host name of the SSH server.
User : The remote SSH user.
Password : The remote SSH password
Remote directory : The remote directory how the backup will be deposited.
Schedule : For “One time only” backup, let the check box be checked. For “Scheduled” backup, choose “Everyday” or “Days of Week” (Example : Su, M, T, W, Th, F, Sa), and “Hour of day” (in 24 hour format, example : 1, 4, 7, 12, 23), or “Every Hours” (in 24 hour format, example : 1, 4, 7, 12, 23) or “Every Minutes” (Example : 15, 20, 30, 59). For the “Every Minutes” setting you can not a value less than 15 minutes.

Backup content :All” for all the configurations or “Report Content only” for reports, queries, parameters, dashboards and templates.

Then click on “Save” button to save your “Configuration Backup” settings.

To start the backup click twice on the extreme right icon of the “Configuration Backup” Web page. One time to deactivate the backup and one other time to reactivate the backup. If you don’t do this, the backup will not be done.

 

One the remote server, in the “$HOME_SSH_USER/backup” directory, you will see  a file with a unique name (ex : 26Jun11_183551.configs.tar.gz).

Scheduled “Configuration Backup” specificities

Scheduled “Configuration Backup” appear in the “Scheduled Tasks” page, accessible from the “Configuration” menu.

You can, from this page, edit the “Configuration Backup” settings, delete the “Configuration Backup“, enable or disable the schedule of the “Configuration Backup“.

Also, you can verify that the “Configuration Backup” has occur successfully by verifying the “Finished Tasks“.

If your scheduled “Configuration Backup” has not occur successfully you can also find all the outputs in the “Finished Tasks”.

Another way to check the scheduled tasks results is to read the “$ARCSIGHT_HOME/current/arcsight/logger/logs/logger_server.out.log” file. For people how have an Logger appliance you can download the logs files from the “Configuration -> Retrieve Logs” menu.

Unfortunately they are no CEF event generated when a scheduled task has occur successfully or failed. So no way to have a clear view on scheduled tasks activities.

“Configuration Backup” restoration

When you restore your “Configuration Backup” all existing content are not preserved and deleted, also you can only restore a “Configuration Backup” from the same operating system and version of Logger.

To restore your backup, you only have to log in the Logger Web administration and go in the “Configuration -> Configuration Backup” menu. Then click on the “Restore” button and upload your configuration backup. Once the “Configuration Backup” is restored the Logger will reboot. So plan your restore 🙂