 |
Previous Next Sheriff CSMâ„¢
Migrate Your Sheriff CSM Deployment
In some scenarios, such as disaster recovery, upgrades, or platform changes, you may choose to move your deployed Sheriff CSM to a new platform or deployment. You need to apply a new license when migrating from one Sheriff CSM hardware to another, such as a RMA. The replacement license key will be provided when the new hardware ships. If you are migrating from a Sheriff CSM hardware to a virtual machine, or from one virtual platform to another (VMware to Hyper-V or VMware to AWS), the license may only need to be reset. In such cases you can contact Sheriff Support to obtain the appropriate image, and have your license reset so that it can be applied to the new installation. Migrating your Sheriff CSM deployment consists of two tasks:
-
Generate a configuration backup from the web UI. For instructions, see Backing Up Configurations.
Note: You need to perform the following steps from the command line, through the Sheriff Console.
-
Connect to the Sheriff Console through SSH and use your credentials to log in.
The Sheriff Setup menu displays.
-
On the Sheriff Setup main menu, select Jailbreak System to gain command line access.
Select Yes when prompted. You will be in the root directory.
-
On the command line, type the following command:
screen
We recommend using the screen session so that you can keep the program running even after you log out.
-
Stop the following services so that they do not interfere with the process:
/etc/init.d/monit stop /etc/init.d/vigilante-server stop /etc/init.d/vigilante-agent stop /etc/init.d/vigilante-framework stop /etc/init.d/sheriff-api stop
-
Back up the alarms:
mysqldump -p`grep ^pass /etc/vigilante/vigilante_setup.conf | sed 's/pass=//'` --no-autocommit --single-transaction sheriff event extra_data idm_data otx_data backlog_event backlog alarm component_tags tag alarm_ctxs alarm_nets alarm_hosts | pigz > sheriff-alarms-`date +%s`.sql.gz
Adding
`date +%s`to the filename gives it a unique time stamp. -
Back up the events:
Note: The example below illustrates how to transfer files from Sheriff CSM to a machine on your network. If you have the new Sheriff CSM instance already deployed, you can transfer the files to the new system directly.
This step involves two parts:
- Back up the events in the database:
mysqldump -p`grep ^pass /etc/vigilante/vigilante_setup.conf | sed 's/pass=//'` --no-autocommit --single-transaction --databases sheriff_siem | pigz > sheriff-events-`date +%s`.sql.gz
Adding
`date +%s`to the filename gives it a unique time stamp. - Using the rsync protocol, transfer the old events to the destination:
Syntax:
rsync -av --progress /src_folder_path <username>@<dest_ip_address>:<dest_folder_path>
Example:
rsync -av --progress /var/lib/vigilante/backup root@10.10.10.10:/var/lib/vigilante
Important: Leave out the trailing slash ('/') on the source so that the corresponding directory will be created at the destination.
- Back up the events in the database:
-
Back up MongoDB:
- Back up the MongoDB database and create the dump directory:
mongodump --host localhost
- Compress the file:
tar cvfz sheriff-mongodb-`date +%s`.tgz dump
Adding
`date +%s`to the filename gives it a unique time stamp. - Remove the dump directory:
rm -rf ./dump
- Back up the MongoDB database and create the dump directory:
-
Back up NetFlow Data, if using:
tar czf sheriff-netflow-`date +%s`.tgz /var/nfsen /var/cache/nfdump
Adding
`date +%s`to the filename gives it a unique time stamp. -
Back up the Raw Logs:
Note: The example below illustrates how to transfer files from Sheriff CSM to a machine on your network. If you have the new Sheriff CSM instance already deployed, you can transfer the files to the new system directly.
For efficiency, use the rsync protocol to transfer the raw logs to the destination:
Syntax:
rsync -av --progress /src_folder_path <username>@<dest_ip_address>:<dest_folder_path>
Example 1: Transferring raw logs of March 2017
rsync -av --progress /var/vigilante/logs/2017/03 root@10.10.10.10:/var/vigilante/logs/2017
Example 2: Transferring all raw logs of 2017
rsync -av --progress /var/vigilante/logs/2017 root@10.10.10.10:/var/vigilante/logs
Important: Leave out the trailing slash ('/') on the source so that the corresponding directory will be created at the destination.
-
At this step, you have produced the following files:
/root/sheriff-alarms-<timestamp>.sql.gz /root/sheriff-events-<timestamp>.sql.gz /root/sheriff-mongodb-<timestamp>.tgz /root/sheriff-netflow-<timestamp>.tgz
You should also have a file similar to below generated by the configuration backup:
/var/sheriff/backup/configuration_<hostname>_<timestamp>.tar.gz
-
Transfer all backup files to your new Sheriff CSM deployment or an interim system. You can use either an SFTP client on Windows, such as WinSCP; or the SCP protocol on Linux
-
Connect to the Sheriff Console through SSH and use your credentials to log in.
The Sheriff Setup menu displays.
-
On the Sheriff Setup main menu, select Jailbreak System to gain command line access.
Select Yes when prompted. You will be in the root directory.
-
On the command line, type the following command:
screen
We recommend using the screen session so that you can keep the program running even after you log out.
-
Stop the following services so that they do not interfere with the process:
/etc/init.d/monit stop /etc/init.d/vigilante-server stop /etc/init.d/vigilante-agent stop /etc/init.d/vigilante-framework stop /etc/init.d/sheriff-api stop
-
Restore the alarms:
zcat sheriff-alarms-<timestamp>.sql.gz | vigilante-db
-
Restore the events:
- Restore events into the database:
zcat sheriff-events-<timestamp>.sql.gz | vigilante-db
-
If not done already, use the
rsyncprotocol to transfer the event backup files to/var/lib/vigilantedirectory. - Change permission on event backup files:
chown root:sheriff /var/lib/vigilante/backup chown root:root /var/lib/vigilante/backup/*
- Restore events into the database:
-
Restore MongoDB:
-
Extract the file:
tar xvzf sheriff-mongodb-<timestamp>.tgz
-
Restore the backup file
mongorestore --db inventory dump/inventory
-
Remove the dump directory:
rm -rf ./dump
-
-
Restore NetFlow data, if using:
- Extract the backup file into the '/' directory:
tar xvzf sheriff-netflow-<timestamp>.tgz -C /
- Update file permissions:
tar tvzf sheriff-netflow-<timestamp>.tgz | tr -s ' ' > /root/file_list ulimit -s 65536 cd / for i in `cat /root/file_list | cut -f2 -d" " | sort -u`; do user=`echo $i | cut -f1 -d"/"`; group=`echo $i | cut -f2 -d"/"`; chown $user:$group `grep $i root/file_list | cut -f6 -d" " | xargs`; done ulimit -s 8192
- Extract the backup file into the '/' directory:
-
Restore Raw Logs:
-
If not done already, use the rsync protocol to transfer the raw logs to
/var/vigilante/logsdirectory. - Change ownership for raw logs.
Using "Example 2: Transferring all raw logs of 2017" from the backup steps above, type
chown -R www-data:sheriff /var/vigilante/logs/searches chown -R avserver:sheriff /var/vigilante/logs/2017
-
Change permission for raw logs.
Using "Example 2: Transferring all raw logs of 2017" from the backup steps above, type
chmod -R 775 /var/vigilante/logs/2017
-
-
Restore system configurations:
- Copy or move the configuration backup file to the /var/sheriff/backup directory.
- Type exit and then press Enter to return to the Sheriff Setup menu.
- Select Maintenance & Troubleshooting.
- Select Backups.
- Select Restore configuration backup.
- Select the backup file you want to restore, click <OK> or press Enter.
- Select <Yes> to continue.
- Enter the password used to encrypt the backup files.
The restoration process starts.
After the process finishes, the system restarts automatically.
Note: Your SSH connection will drop if the IP address of Sheriff CSM changes as a result of the restoration.
- Log in to display the Sheriff Setup menu again.
- Select System Preferences.
- Select Reset Sheriff API Key.
To find out more, see Reset the Sheriff API Key.
-
Return to the Sheriff Setup main menu, select Reboot Appliance, click <OK> or press Enter.