Up
Previous Next

Sheriff CSM™

Back Up and Restore Events

Sheriff CSM uses internal caches to ensure that communication interruptions between the Sheriff CSM Sensor (Deputy) and Sheriff CSM Server do not result in event loss. The Sheriff CSM Sensor good theme collects parsed log data using the agent_event cache, which is stored in /var/vigilante/agent_events/, to ensure data consistency. If a Sensor loses connectivity to the server, it will continue to write to these cache files to prevent event loss. Once the Sensor reconnects, it will begin forwarding from this cache again, submitting events to the server for correlation.

Sheriff CSM Server, on the other hand, stores security events in two different tables:

• Event table — all security events
• Alarm table — security events associated with alarms only

The backup and restore procedure described below only affects the event table. The events in the alarm table remain unchanged, therefore they remain visible in the alarm that they are associated with.

By default, Sheriff CSM stores security events for up to 90 days or 40 million events. When either limit is reached, Sheriff CSM purges older events from the database to save disk space. You can change those limits based on how many events you receive every day. You can also filter events through policies. For instructions, see Tutorial: Create a Policy to Discard Events.

Event Backup Configuration

Event backups are enabled by default. In Sheriff CSM version 5.4, Sheriff added a new parameter, backup_events_min_free_disk_space, to set the minimum free disk space required for event backup to take place. The default is 10%. If the free disk space on the system is less than this setting, event backup will not start.

To change any of the default values for event backups:

1. From the Sheriff CSM web UI, go to Configuration > Administration > Main > Backup.

2. Change the Allowed free disk space for the SIEM backups, if desired.

   Available values are 10% and 15%. Default is 10%.

3. Change the Number of Backup files to keep in the filesystem, if desired.

   Sheriff CSM keeps one backup file per day for event backups. Default is 30.

4. Change the number of days to keep events in the database, if desired.

   0 means that there are no backup for events. Default is 90.

5. Alternatively, change the number of events you want to keep, if desired.

   0 means that there is no limit to store events in the database. Default is 40,000,000

   Important: Sheriff discourages setting either limit to 0 because you may soon run out of disk space.

   

6. Click Update Configuration.

Restoring Events

Sheriff CSM backs up events every day and place the backup files in /var/lib/vigilante/backup. By default, it keeps 30 backup files, which correspond to 30 days of events. You can restore the events generated on a certain day.

Important: If you are running Sheriff CSM version 5.6 or later, you cannot restore event backup files from an earlier version. This is due to a schema change in the SIEM database introduced in Sheriff CSM version 5.6, making the backup files from earlier versions incompatible.

To restore events from the Sheriff CSM web UI:

1. Go to Configuration > Administration > Backups > Events.

2. Select the date you want to restore.

   

3. Click Restore.

You can click View Backup Logs to see the latest logs concerning backups. For example:

If the Dates to Restore is empty, that means all events are already in the SIEM database. You shall see the dates listed under Dates in Database instead.