Up
Previous Next

Sheriff CSMâ„¢

Migrate Your Sheriff CSM Deployment

In some scenarios, such as disaster recovery, upgrades, or platform changes, you may choose to move your deployed Sheriff CSM to a new platform or deployment.

You need to apply a new license when migrating from one Sheriff CSM hardware to another, such as a RMA. The replacement license key will be provided when the new hardware ships.

If you are migrating from a Sheriff CSM hardware to a virtual machine, or from one virtual platform to another (VMware to Hyper-V or VMware to AWS), the license may only need to be reset. In such cases you can contact Sheriff Support to obtain the appropriate image, and have your license reset so that it can be applied to the new installation.

Migrating your Sheriff CSM deployment consists of two tasks:

Sheriff CSM does not provide a tool to back up the system as a whole. You need to back up your data and system configurations separately, and then transfer them to the other Sheriff CSM deployment for restoration.

To back up your Sheriff CSM deployment

  1. Generate a configuration backup from the web UI. For instructions, see Backing Up Configurations.

    Note: You need to perform the following steps from the command line, through the Sheriff Console.

  2. Connect to the Sheriff Console through SSH and use your credentials to log in.

    The Sheriff Setup menu displays.

  3. On the Sheriff Setup main menu, select Jailbreak System to gain command line access.

    Select Yes when prompted. You will be in the root directory.

  4. On the command line, type the following command:

    screen

    We recommend using the screen session so that you can keep the program running even after you log out.

  5. Stop the following services so that they do not interfere with the process:

    /etc/init.d/monit stop
/etc/init.d/vigilante-server stop
/etc/init.d/vigilante-agent stop
/etc/init.d/vigilante-framework stop
/etc/init.d/sheriff-api stop

  6. Back up the alarms:

    mysqldump -p`grep ^pass /etc/vigilante/vigilante_setup.conf | sed 's/pass=//'` --no-autocommit --single-transaction sheriff event extra_data idm_data otx_data backlog_event backlog alarm component_tags tag alarm_ctxs alarm_nets alarm_hosts | pigz > sheriff-alarms-`date +%s`.sql.gz

    Adding `date +%s` to the filename gives it a unique time stamp.

  7. Back up the events:

    Note: The example below illustrates how to transfer files from Sheriff CSM to a machine on your network. If you have the new Sheriff CSM instance already deployed, you can transfer the files to the new system directly.

    This step involves two parts:

    1. Back up the events in the database: 
      mysqldump -p`grep ^pass /etc/vigilante/vigilante_setup.conf | sed 's/pass=//'` --no-autocommit --single-transaction --databases sheriff_siem | pigz > sheriff-events-`date +%s`.sql.gz

      Adding `date +%s` to the filename gives it a unique time stamp.

    2. Using the rsync protocol, transfer the old events to the destination:

      Syntax: 

      rsync -av --progress /src_folder_path <username>@<dest_ip_address>:<dest_folder_path>

      Example:

      rsync -av --progress /var/lib/vigilante/backup root@10.10.10.10:/var/lib/vigilante

      Important: Leave out the trailing slash ('/') on the source so that the corresponding directory will be created at the destination.

  8. Back up MongoDB:

    1. Back up the MongoDB database and create the dump directory: 
      mongodump --host localhost
    2. Compress the file: 
      tar cvfz sheriff-mongodb-`date +%s`.tgz dump

      Adding `date +%s` to the filename gives it a unique time stamp.

    3. Remove the dump directory: 
      rm -rf ./dump

  9. Back up NetFlow Data, if using:

    tar czf sheriff-netflow-`date +%s`.tgz /var/nfsen /var/cache/nfdump

    Adding `date +%s` to the filename gives it a unique time stamp.

  10. Back up the Raw Logs:

    Note: The example below illustrates how to transfer files from Sheriff CSM to a machine on your network. If you have the new Sheriff CSM instance already deployed, you can transfer the files to the new system directly.

    For efficiency, use the rsync protocol to transfer the raw logs to the destination:

    Syntax:

    rsync -av --progress /src_folder_path <username>@<dest_ip_address>:<dest_folder_path>

    Example 1: Transferring raw logs of March 2017

    rsync -av --progress /var/vigilante/logs/2017/03 root@10.10.10.10:/var/vigilante/logs/2017

    Example 2: Transferring all raw logs of 2017

    rsync -av --progress /var/vigilante/logs/2017 root@10.10.10.10:/var/vigilante/logs

    Important: Leave out the trailing slash ('/') on the source so that the corresponding directory will be created at the destination.

  11. At this step, you have produced the following files:

    /root/sheriff-alarms-<timestamp>.sql.gz
/root/sheriff-events-<timestamp>.sql.gz
/root/sheriff-mongodb-<timestamp>.tgz
/root/sheriff-netflow-<timestamp>.tgz

    You should also have a file similar to below generated by the configuration backup:

    /var/sheriff/backup/configuration_<hostname>_<timestamp>.tar.gz

  12. Transfer all backup files to your new Sheriff CSM deployment or an interim system. You can use either an SFTP client on Windows, such as WinSCP; or the SCP protocol on Linux

Before following the procedure below, you should have deployed the SAME version of Sheriff CSM. You should have transferred the backup files to the target system and place them in the root directory.

Important: If you are restoring Sheriff CSM to a different platform such as from VMware to Hyper-V, you must acquire a new license. Please contact Sheriff Support for your request.

To restore your Sheriff CSM deployment

  1. Connect to the Sheriff Console through SSH and use your credentials to log in.

    The Sheriff Setup menu displays.

  2. On the Sheriff Setup main menu, select Jailbreak System to gain command line access.

    Select Yes when prompted. You will be in the root directory.

  3. On the command line, type the following command:

    screen

    We recommend using the screen session so that you can keep the program running even after you log out.

  4. Stop the following services so that they do not interfere with the process:

    /etc/init.d/monit stop
/etc/init.d/vigilante-server stop
/etc/init.d/vigilante-agent stop
/etc/init.d/vigilante-framework stop
/etc/init.d/sheriff-api stop

  5. Restore the alarms:

    zcat sheriff-alarms-<timestamp>.sql.gz | vigilante-db

  6. Restore the events:

    1. Restore events into the database: 
      zcat sheriff-events-<timestamp>.sql.gz | vigilante-db

    2. If not done already, use the rsync protocol to transfer the event backup files to /var/lib/vigilante directory.

    3. Change permission on event backup files: 
      chown root:sheriff /var/lib/vigilante/backup
chown root:root /var/lib/vigilante/backup/*

  7. Restore MongoDB:

    1. Extract the file:

      tar xvzf sheriff-mongodb-<timestamp>.tgz

    2. Restore the backup file

      mongorestore --db inventory dump/inventory

    3. Remove the dump directory:

      rm -rf ./dump

  8. Restore NetFlow data, if using:

    1. Extract the backup file into the '/' directory: 
      tar xvzf sheriff-netflow-<timestamp>.tgz -C /
    2. Update file permissions: 
      tar tvzf sheriff-netflow-<timestamp>.tgz | tr -s ' ' > /root/file_list
ulimit -s 65536
cd /
for i in `cat /root/file_list | cut -f2 -d" " | sort -u`; do user=`echo $i | cut -f1 -d"/"`; group=`echo $i | cut -f2 -d"/"`; chown $user:$group `grep $i root/file_list | cut -f6 -d" " | xargs`; done
ulimit -s 8192

  9. Restore Raw Logs:

    1. If not done already, use the rsync protocol to transfer the raw logs to /var/vigilante/logs directory.

    2. Change ownership for raw logs.

      Using "Example 2: Transferring all raw logs of 2017" from the backup steps above, type

      chown -R www-data:sheriff /var/vigilante/logs/searches
chown -R avserver:sheriff /var/vigilante/logs/2017

    3. Change permission for raw logs.

      Using "Example 2: Transferring all raw logs of 2017" from the backup steps above, type

      chmod -R 775 /var/vigilante/logs/2017

  10. Restore system configurations:

    1. Copy or move the configuration backup file to the /var/sheriff/backup directory.
    2. Type exit and then press Enter to return to the Sheriff Setup menu.
    3. Select Maintenance & Troubleshooting.
    4. Select Backups.
    5. Select Restore configuration backup.
    6. Select the backup file you want to restore, click <OK> or press Enter.
    7. Select <Yes> to continue.
    8. Enter the password used to encrypt the backup files.

      The restoration process starts.

      After the process finishes, the system restarts automatically.

      Note: Your SSH connection will drop if the IP address of Sheriff CSM changes as a result of the restoration.

    9. Log in to display the Sheriff Setup menu again.
    10. Select System Preferences.
    11. Select Reset Sheriff API Key.

      To find out more, see Reset the Sheriff API Key.

  11. Return to the Sheriff Setup main menu, select Reboot Appliance, click <OK> or press Enter.

This topic: Sheriff > UserGuides > SheriffCSMDocumentation > DeploymentGuide > BackupAndRestoration > MigrateYourSheriffCSMDeployment
Topic revision: 01 Jul 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.