Backup Process For McAfee Devices

Backup
process for McAfee devices

ESM (Standalone) Backup
The backup process on the ESM is intended to create a backup of the tables on the ESM for restoring the
configuration of the ESM. There are two backup types Full or incremental. They are described
below.
A Full backup is a backup of all database table files uncompressed to a remote storage location. This
backup type can back up to a CIFS/NFS location. The storage location is mounted before the backup
starts and is checked each time to ensure the backup begins. It is expected that the backup location will
contain more than one backup file unless the backup location is maintained by the user. The files are
copied uncompressed to the storage location for storage and subsequent restoration. For a list of the
tables backed up from the ESM is listed the backup.log file is stored with backup. The path backup
files will be copied to appears like this:
xx.xx.xx.xx:/backupfolder/ETM-xx_9.3.1_2013_12_25_215739_F/
An incremental backup is a backup of ESM configuration files compressed to a local or remote

storage location. There is also an option to back up the event/flow/log data for the last 24 hours. (based
off last backup time stamp) For a list of the tables backed up from the ESM, open the backup.log file is
stored within the backup .zip file each time the backup is run. The backup log file contains the tables
that are backed up and the records in each table that was backed up. See the output of the file below:
TABLE ADGROPSM (2013-12-19 09:12:05) (63928 record (s)) (0 TABLE Access (2013-12-19 09:12:05) (778 record (s)) (170
deleted location(s)) deleted location(s))
TABLE ADGroup (2013-12-19 09:12:05) (336 record (s)) (0 TABLE Action (2013-12-19 09:12:05) (39 record (s)) (0 deleted
deleted location(s)) location(s))
TABLE AGGXCPTN (2013-12-19 09:12:05) (4 record (s)) (0 deleted TABLE Asset (2013-12-19 09:12:05) (20009 record (s)) (0
location(s)) deleted location(s))
TABLE ASSETGRP (2013-12-19 09:12:05) (4 record (s)) (0 deleted TABLE BLACKLST (2013-12-19 09:12:05) (1 record (s)) (0 deleted
location(s)) location(s))
TABLE ASSTGRRF (2013-12-19 09:12:05) (20014 record (s)) (0 TABLE BLCKLFFR (2013-12-19 09:12:05) (0 record (s)) (0 deleted
TABLE ASSTVBLT (2013-12-19 09:12:05) (2339 record (s)) (0 TABLE CASEVNTS (2013-12-19 09:12:05) (203 record (s)) (0
TABLE ASSTVNDR (2013-12-19 09:12:05) (20009 record (s)) (0 TABLE CHANGELG (2013-12-19 09:12:06) (41473 record (s)) (0
TABLE ATCRTRL (2013-12-19 09:12:05) (10 record (s)) (0 deleted TABLE CONDITIN (2013-12-19 09:12:06) (26 record (s)) (0 deleted
TABLE ATCRTRLC (2013-12-19 09:12:05) (160 record (s)) (0 TABLE CaseMgt (2013-12-19 09:12:06) (184 record (s)) (0
TABLE CaseOrg (2013-12-19 09:12:06) (1 record (s)) (0 deleted TABLE IPSCHANG (2013-12-19 09:12:09) (153 record (s)) (2382
TABLE Class (2013-12-19 09:12:06) (68 record (s)) (0 deleted TABLE IPSCheck (2013-12-19 09:12:09) (15 record (s)) (0 deleted
TABLE DEVICEFO (2013-12-19 09:12:06) (7 record (s)) (0 deleted TABLE ITMRGHTS (2013-12-19 09:12:09) (4 record (s)) (0 deleted
TABLE DTNRCHMT (2013-12-19 09:12:06) (5 record (s)) (0 TABLE LCLSTRNG (2013-12-19 09:12:09) (975382 record (s)) (0
TABLE DTNRCLDS (2013-12-19 09:12:06) (3 record (s)) (0 deleted TABLE LOGCATGR (2013-12-19 09:12:09) (11 record (s)) (0
TABLE DTNRCPSD (2013-12-19 09:12:06) (3 record (s)) (0 deleted TABLE MSSGTMPL (2013-12-19 09:12:09) (11 record (s)) (0
TABLE DVCFLSJN (2013-12-19 09:12:06) (28 record (s)) (67 TABLE NDDVCNFC (2013-12-19 09:12:09) (0 record (s)) (0 deleted
TABLE EMAILGRP (2013-12-19 09:12:06) (1 record (s)) (0 deleted TABLE NDDVCSSS (2013-12-19 09:12:09) (0 record (s)) (0 deleted
TABLE EMLDDRSS (2013-12-19 09:12:06) (8 record (s)) (0 deleted TABLE NDDVCVLN (2013-12-19 09:12:09) (0 record (s)) (0 deleted
TABLE EMailGro (2013-12-19 09:12:06) (3 record (s)) (0 deleted TABLE NDDevice (2013-12-19 09:12:09) (0 record (s)) (0 deleted
TABLE ESMFLTRS (2013-12-19 09:12:06) (0 record (s)) (0 deleted TABLE NDEPDVCS (2013-12-19 09:12:09) (0 record (s)) (0 deleted
TABLE EVNTFDNG (2013-12-19 09:12:06) (3 record (s)) (0 deleted TABLE NDEPPRMS (2013-12-19 09:12:09) (1 record (s)) (0 deleted
TABLE EXTDVCTT (2013-12-19 09:12:06) (259 record (s)) (0 TABLE NDFLDRDC (2013-12-19 09:12:09) (0 record (s)) (0 deleted
TABLE EXTRNLDV (2013-12-19 09:12:06) (109 record (s)) (0 TABLE NDFolder (2013-12-19 09:12:09) (0 record (s)) (0 deleted
TABLE GeoLoc (2013-12-19 09:12:08) (806266 record (s)) (0 TABLE NDIPLoc (2013-12-19 09:12:09) (419 record (s)) (0 deleted
TABLE Groups (2013-12-19 09:12:08) (10 record (s)) (0 deleted TABLE NDNDPHST (2013-12-19 09:12:09) (0 record (s)) (0 deleted
TABLE HCFILTRS (2013-12-19 09:12:08) (0 record (s)) (0 deleted TABLE NDNDPNTP (2013-12-19 09:12:09) (0 record (s)) (0
TABLE HLTHSNGS (2013-12-19 09:12:08) (16854 record (s)) (0 TABLE NDNDPNTS (2013-12-19 09:12:09) (0 record (s)) (0 deleted
TABLE Hosts (2013-12-19 09:12:08) (489 record (s)) (0 deleted TABLE NDNDPSTR (2013-12-19 09:12:09) (0 record (s)) (0 deleted
TABLE ICMPType (2013-12-19 09:12:08) (66 record (s)) (0 deleted TABLE NDNGHBRS (2013-12-19 09:12:09) (0 record (s)) (0
TABLE IPS (2013-12-19 09:12:08) (153 record (s)) (2382 TABLE NDPRMLSN (2013-12-19 09:12:09) (0 record (s)) (0
TABLE IPSBlob (2013-12-19 09:12:09) (731 record (s)) (612 TABLE NDPRMSDL (2013-12-19 09:12:09) (1 record (s)) (0 deleted
TABLE NDPROCSS (2013-12-19 09:12:09) (3 record (s)) (0 deleted TABLE Query (2013-12-19 09:12:09) (1255 record (s)) (0
TABLE NDPRTCRL (2013-12-19 09:12:09) (0 record (s)) (0 deleted TABLE RGHTSMNT (2013-12-19 09:12:09) (147 record (s)) (0
TABLE NDParams (2013-12-19 09:12:09) (1 record (s)) (0 deleted TABLE RMTCMMND (2013-12-19 09:12:09) (1 record (s)) (0
TABLE NDSRCLTS (2013-12-19 09:12:09) (0 record (s)) (0 deleted TABLE RMTCMTTR (2013-12-19 09:12:09) (3 record (s)) (0
TABLE NOTIFCTN (2013-12-19 09:12:09) (31 record (s)) (0 TABLE RPRTCMNT (2013-12-19 09:12:09) (2316 record (s)) (0
TABLE NTFCTBRS (2013-12-19 09:12:09) (123 record (s)) (53 TABLE RPRTFLDR (2013-12-19 09:12:09) (96 record (s)) (0 deleted
TABLE NTFCTNCH (2013-12-19 09:12:09) (31 record (s)) (0 TABLE RULEPARA (2013-12-19 09:12:09) (0 record (s)) (0 deleted
TABLE NTFCTNCN (2013-12-19 09:12:09) (61 record (s)) (1 TABLE RULEPARM (2013-12-19 09:12:09) (404 record (s)) (3
TABLE NTFCTNML (2013-12-19 09:12:09) (0 record (s)) (0 deleted TABLE RULEUSEE (2013-12-19 09:12:09) (50968 record (s))
location(s)) (100689 deleted location(s))
TABLE NTFCTNSR (2013-12-19 09:12:09) (0 record (s)) (0 deleted TABLE Reports (2013-12-19 09:12:09) (900 record (s)) (0 deleted
TABLE NTFCTTTR (2013-12-19 09:12:09) (326 record (s)) (0 TABLE Rights (2013-12-19 09:12:09) (27 record (s)) (0 deleted
TABLE Notes (2013-12-19 09:12:09) (0 record (s)) (0 deleted TABLE Rule (2013-12-19 09:12:10) (475432 record (s)) (0
TABLE Notifica (2013-12-19 09:12:09) (7 record (s)) (0 deleted TABLE RuleVA (2013-12-19 09:12:10) (19445 record (s)) (0
TABLE OS (2013-12-19 09:12:09) (28 record (s)) (0 deleted TABLE RuleVIN (2013-12-19 09:12:10) (16711 record (s)) (0
TABLE PLUGINDT (2013-12-19 09:12:09) (0 record (s)) (0 deleted TABLE SENDEMAL (2013-12-19 09:12:10) (0 record (s)) (1 deleted
TABLE PREPRCSS (2013-12-19 09:12:09) (19 record (s)) (0 deleted TABLE SENDSSLG (2013-12-19 09:12:10) (0 record (s)) (0 deleted
TABLE PRPRCPTN (2013-12-19 09:12:09) (3 record (s)) (0 deleted TABLE SLCTFLDM (2013-12-19 09:12:10) (163 record (s)) (0
TABLE PRPRCSRP (2013-12-19 09:12:09) (11 record (s)) (0 TABLE SMXRef (2013-12-19 09:12:10) (0 record (s)) (0 deleted
TABLE Plugins (2013-12-19 09:12:09) (0 record (s)) (0 deleted TABLE SSSTTNGS (2013-12-19 09:12:10) (269 record (s)) (0
TABLE PortApps (2013-12-19 09:12:09) (96 record (s)) (0 deleted TABLE STRINGMP (2013-12-19 09:12:10) (143764 record (s)) (0
TABLE Ports (2013-12-19 09:12:09) (4460 record (s)) (0 deleted TABLE Scoring (2013-12-19 09:12:10) (3 record (s)) (1 deleted
TABLE Profile (2013-12-19 09:12:09) (11 record (s)) (0 deleted TABLE TAGSVBTS (2013-12-19 09:12:10) (74 record (s)) (0
TABLE TGPDTXTN (2013-12-19 09:12:10) (57 record (s)) (29 TABLE USERLCNS (2013-12-19 09:12:11) (17 record (s)) (0
TABLE TGSSTGRP (2013-12-19 09:12:10) (31 record (s)) (0 TABLE USERSTTS (2013-12-19 09:12:11) (1 record (s)) (0 deleted
TABLE TGSSTXTN (2013-12-19 09:12:10) (64 record (s)) (0 TABLE USRFLTST (2013-12-19 09:12:11) (5727 record (s)) (0
TABLE THRDPNFG (2013-12-19 09:12:10) (1223 record (s)) (1701 TABLE USRPSDJN (2013-12-19 09:12:11) (0 record (s)) (0 deleted
TABLE THRDPRTP (2013-12-19 09:12:10) (440 record (s)) (0 TABLE USRVWXSN (2013-12-19 09:12:11) (0 record (s)) (0
TABLE TPTPPPLC (2013-12-19 09:12:10) (14 record (s)) (0 deleted TABLE User_IPS (2013-12-19 09:12:11) (14 record (s)) (0 deleted
TABLE TRGGRDLM (2013-12-19 09:12:10) (2309 record (s)) (1 TABLE Users (2013-12-19 09:12:11) (32 record (s)) (0 deleted
TABLE Tag (2013-12-19 09:12:10) (917 record (s)) (0 deleted TABLE UsersPW (2013-12-19 09:12:11) (22 record (s)) (0 deleted
TABLE TagAsset (2013-12-19 09:12:10) (20089 record (s)) (0 TABLE VAREXCEP (2013-12-19 09:12:11) (9 record (s)) (0 deleted
TABLE TagRule (2013-12-19 09:12:10) (271341 record (s)) (0 TABLE VIEWFLDR (2013-12-19 09:12:11) (106 record (s)) (0
TABLE Theme (2013-12-19 09:12:10) (12 record (s)) (0 deleted TABLE VULNRBLT (2013-12-19 09:12:11) (6293 record (s)) (0
TABLE Timezone (2013-12-19 09:12:10) (74 record (s)) (0 deleted TABLE VWCMPNNT (2013-12-19 09:12:11) (5362 record (s)) (0
TABLE Triggere (2013-12-19 09:12:10) (0 record (s)) (4 deleted TABLE Var (2013-12-19 09:12:11) (129 record (s)) (0 deleted
TABLE UCFA2C (2013-12-19 09:12:10) (3041 record (s)) (0 TABLE View (2013-12-19 09:12:11) (893 record (s)) (0 deleted
TABLE UCFC2U (2013-12-19 09:12:10) (5432 record (s)) (0 TABLE WMIType (2013-12-19 09:12:11) (336 record (s)) (0
TABLE UCFN2U (2013-12-19 09:12:10) (58 record (s)) (0 deleted TABLE WTCHLSLS (2013-12-19 09:12:47) (149479 record (s))
location(s)) (90095746 deleted location(s))
TABLE UCFName (2013-12-19 09:12:10) (3388 record (s)) (0 TABLE WTCHLSTS (2013-12-19 09:12:47) (20 record (s)) (0
TABLE UPDATBLB (2013-12-19 09:12:11) (14 record (s)) (0 TABLE ZONEIPMA (2013-12-19 09:12:47) (258 record (s)) (0
TABLE USERFILD (2013-12-19 09:12:11) (225 record (s)) (0 TABLE Zone (2013-12-19 09:12:47) (257 record (s)) (0 deleted
TABLE USERFLDS (2013-12-19 09:12:11) (228 record (s)) (0

deleted location(s))
The backup occurs live so the ESM is not restarted as the backup proceeds. The files are stored into the
folder /data_hd /usr/local/ess/dbbackupwork/ where they are tarred up and compressed in a .zip file.
The final file is stored in /data_hd/usr/local/ess/dbbackup/ for presentation in the File Maintenance UI
in the SIEM GUI. The best way to follow the backup process is by watching the message box in the ESM
GUI. It will look something like this:
A remote backup type can back up to a CIFS/NFS location. The storage location is mounted before the
backup starts and is checked each time to ensure the backup begins. It is expected that the backup
location will contain more than one backup file unless the backup location is maintained by the user.
The backup files are copied compressed to the storage location for storage and subsequent
restoration. For remote folders the path name will look like this:
xx.xx.xx.xx:/backupfolder/ETM-xx_9.3.1_2013_12_25_021738_I.zip
The restore process is used to restore the ESM configuration and data back to the ESM. It works in an
opposite manner from the back up process. The file selected from the File Maintenance UI in the SIEM
GUI is copied to the /data_hd/usr/local/ess/dbrestore folder. The ESM must be shut down to restore the
DB tables correctly. After that process is stopped the .zip file is untarred up and placed in the /data_hd
/usr/local/ess/dbbackupwork/ folder to be copied to the correct folders on the ESM. After that the ESM
is restarted to recognize the new configuration placed on it. The best way to follow the process is by
logging onto the console of the ESM and look at the /var/log/messages file. It will look something like
this:
Dec 20 02:22:25 McAfee [55337]: RestoreDB - started
Dec 20 02:22:25 McAfee [55337]: Opened database - /db2/usr/local/ess/data/ngcp.dfl - system

number - 1
Dec 20 02:22:26 McAfee [55337]: RestoreDB - extracting file: - /db1/usr/local/ess/dbrestore/ETM-

X4_9.3.1_2013_12_19_220919_I.zip
Dec 20 02:22:26 McAfee [55337]: Opened database - /db1/usr/local/ess/dbrestore/ngcpold.dfl -
system number - 2
Dec 20 02:23:42 McAfee [55337]: RestoreDB - restoring file: - /db1/usr/local/ess/dbrestore/ETM-

xx_9.3.1_2013_12_20_220919_I.zip
Dec 20 02:23:42 McAfee [55337]: RestoreDB - restoring on primary
Dec 20 02:25:48 McAfee [55337]: RestoreDB - restore system tables complete
Dec 20 02:25:57 McAfee [55337]: RestoreDB - finished
ESM( Redundant)
A redundant ESM is limited on the functionality it can perform compared to a primary (standalone) ESM
but it will get all settings that a standalone ESM is given to ensure it comes up fully configured when
placed in primary mode. An error is given to indicate the backup capability is turned off.
The redundant will still have access restore backups that are available on the remote backup folders.
ELM
The backup process on the ELM is intended to create a backup of the Management DB tables on the
ELM for restoring the configuration of the ELM and the log file indexes currently on the ELM. The
folders created by the backup and the backup files put there are described below.
Remote backup mount point:
xx.xx.xx.xx:/backupfolder/
The files/folders created are:
NitroGuard/
alloc.conf
backupelm.conf
customfields.conf
das.conf
elmer_file_timeout.conf
ffg_FWS.conf
ffg_WEB.conf
fips.conf
freetds-gsql.conf
globals.conf
mgtdbloc.conf
network.conf
nitrosnmp.conf
storage.conf
thirdparty.conf
vathirdparty.conf
buildstamp
mgtdb/
NitroError.Log
ds2rg.data
elm.cfd
elm.cfg
elm.cpy
elm.dfl
elm.old
elmmsg.txt
rg/
rg.data
rg2sh.data
sh.data
sr.data
A log file indexes backup is a backup of all database table files (also called the Management DB)
uncompressed to a remote storage location. This backup type can back up to a CIFS/NFS location. The
storage location is mounted before the backup starts and is checked each time to ensure the backup
begins. It is expected that the backup location will contain more than one backup file unless the backup
location is maintained by the user. The data index files are copied uncompressed to the storage
location for storage and subsequent restoration. For a list of the tables backed up from the ELM is listed
above.
A configuration backup is a backup of ELM configuration files uncompressed to a remote storage

location. These files contain paths and configuration data for the processes that run on the ELM. Some
of the configuration is use in the ELM GUI but most is configuration used by the runtime components of
the ELM. For a list of the configuration files backed up from the ELM see above.
When a backup is started the ELM Properties dialog will show the backup in progress. (see below)
A backup will usually complete in 5 10 minutes unless there are connection issues or speed issues
copying files to the remote share.
You can also follow the process is by logging onto the console of the ELM and look at the
/var/log/messages file. It will look something like this:
Dec 25 06:33:56 McAfee backupelm[21996]: Starting elm backup
Dec 25 06:36:15 McAfee backupelm[22016]: Elm backup completed
The restore process is used to restore the ELM configuration and log file indexes back to the ELM. It
works in an opposite manner from the back up process. The Restore Backup button in the ELM Bakup
and restore GUI is pressed and the ELM backup is copied to the /data_hd/usr/local/elm/ folder.
The ELM must be shut down to restore the DB tables correctly. After that process is stopped the ELM
configuration files are copied to the correct folders on the ELM. After copying is finished the ELM is
restarted to recognize the new configuration placed on it. The best way to follow the process is by
logging onto the console of the ELM and look at the /var/log/messages file. It will look something like
this:
Dec 25 06:55:40 McAfee elmd[22713]: Stopping (Parent pid) = 22696
Dec 25 06:55:40 McAfee elmd[22713]: Flushing Database /usr/local/elm/mgtdb/elm.dfl
Dec 25 06:55:40 McAfee elmd[22713]: Flushing Database /usr/local/elm/mgtdb/rg/rg_1/elmlf_1.dfl
Dec 25 06:55:41 McAfee elmd[22713]: Flushing Database completed!
Dec 25 06:56:37 McAfee SetStorageConf[3478]: Starting to mount
Dec 25 06:56:37 McAfee SetStorageConf[3478]: mount returned [1] for
Dec 25 06:56:37 McAfee SetStorageConf[3478]: Verifying NFS224
Dec 25 06:56:37 McAfee SetStorageConf[3478]: Verifying local
The ELM restore will finish and you will see an OK in the ELM properties dialog.
Receiver (Standalone)
There are no specific backup capabilities on the Receiver. The Receiver has a 25 partition design that
stores the event/flow data long enough for the ESM to retrieve it off of the device. As long as the ESM is
current pulling data over to the ESM the Receiver data is available and can be backed up on the ESM.
Receiver (HA)
HA Receivers employ a backup mechanism called a redundant device. (like the redundant ESM is to the
primary ESM) The data shared between HA receivers keeps a back up active to allow for fail over of
the Receiver device. As above, there are no specific backup capabilities on the Receiver. The Receiver
has a 25 partition design that stores the event/flow data long enough for the ESM to retrieve it off of the
device. As long as the ESM is current pulling data over to the ESM the Receiver data is available and can
be backed up on the ESM.
ACE
There are no specific backup capabilities on the ACE. The ACE has a 25 partition design that stores the
event/flow data long enough for the ESM to retrieve it off of the device. As long as the ESM is current
pulling data over to the ESM the Receiver data is available and can be backed up on the ESM.

Backup Process For McAfee Devices

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Backup Process For McAfee Devices

Caricato da

Copyright:

Formati disponibili

Backup

process for McAfee devices

An incremental backup is a backup of ESM configuration files compressed to a local or remote

TABLE USERFLDS (2013-12-19 09:12:11) (228 record (s)) (0

Dec 20 02:22:25 McAfee [55337]: RestoreDB - started

Dec 20 02:22:25 McAfee [55337]: Opened database - /db2/usr/local/ess/data/ngcp.dfl - system

Dec 20 02:22:26 McAfee [55337]: RestoreDB - extracting file: - /db1/usr/local/ess/dbrestore/ETM-

Dec 20 02:23:42 McAfee [55337]: RestoreDB - restoring file: - /db1/usr/local/ess/dbrestore/ETM-

Dec 20 02:23:42 McAfee [55337]: RestoreDB - restoring on primary

Dec 20 02:25:48 McAfee [55337]: RestoreDB - restore system tables complete

Dec 20 02:25:57 McAfee [55337]: RestoreDB - finished

The files/folders created are:

A configuration backup is a backup of ELM configuration files uncompressed to a remote storage

Dec 25 06:33:56 McAfee backupelm[21996]: Starting elm backup

Dec 25 06:36:15 McAfee backupelm[22016]: Elm backup completed

Dec 25 06:55:40 McAfee elmd[22713]: Stopping (Parent pid) = 22696

Dec 25 06:55:40 McAfee elmd[22713]: Flushing Database /usr/local/elm/mgtdb/elm.dfl

Dec 25 06:55:40 McAfee elmd[22713]: Flushing Database /usr/local/elm/mgtdb/rg/rg_1/elmlf_1.dfl

Dec 25 06:55:40 McAfee elmd[22713]: Flushing Database /usr/local/elm/mgtdb/rg/rg_2/elmlf_2.dfl

Dec 25 06:55:41 McAfee elmd[22713]: Flushing Database /usr/local/elm/mgtdb/rg/rg_3/elmlf_3.dfl

Dec 25 06:55:41 McAfee elmd[22713]: Flushing Database completed!

Dec 25 06:56:37 McAfee SetStorageConf[3478]: Starting to mount

Dec 25 06:56:37 McAfee SetStorageConf[3478]: mount returned [1] for

Dec 25 06:56:37 McAfee SetStorageConf[3478]: Verifying NFS224

Dec 25 06:56:37 McAfee SetStorageConf[3478]: Verifying local

Potrebbero piacerti anche