FortiSIEM Backing Up and Restoring FortiSIEM Directories and Databases

1 Reply
Backing Up and Restoring FortiSIEM Directories and Databases

Backing Up and Restoring SVN

Backing Up and Restoring the CMDB

Backing Up and Restoring the Event Database

Backing Up and Restoring SVN

Backup and restore SVN

FortiSIEM uses an inbuilt SVN to store network device configuration and installed software versions.

Backup

The SVN files are stored in /data/svn. Copy the entire directory to another location.

Restore

Copy the entire /data/svn from the backup location and rename the directory to /data/svn.

Backing Up and Restoring the CMDB

The FortiSIEM Configuration Management Database (CMDB) contains discovered information about devices, servers, networks and applications. You should create regular backups of the CMDB that you can use to restore it in the event of database corruption.

Backup

The database files are stored in /data/cmdb/data. FortiSIEM automatically backs up this data twice daily and the backup files are stored in /data/archive/cmdb. To

If your database becomes corrupted, restore it from backup by performing these steps on you Supervisor node.

  1. Stop all processes with this phTools command:

These processes will continue to run, which is expected behavior:

  1. Copy the latest phoenixdb_<timestamp> file to a directory like /tmp on the Supervisor host.
  2. Go to /opt/phoenix/deployment.
  3. Run db_restore /tmp/phoenixdb_<timestamp>.
  4. When this process completes, reboot the system.
Backing Up and Restoring the Event Database

Backup

Restore

Backup

The event data is stored in /data/eventdb. Since this data can become very large over time, you should use a program such as rsync to incrementally move the data to another location. From version 4.2.1 the rsync program is installed on FortiSIEM by default.

Use this command to back up the eventdb.

Restore

To restore eventdb there are two options:

Mount the directory where the event database was backed up. Copy the backup to the /data/eventdb directory.

These instructions are for copying the backup to the /data/eventdb directory.

  1. Stop all running processes.
  2. Copy the the event DB to the event DB location /data/eventdb

If you use the cp command it may appear that the command has hung if there is a lot of data to copy

Alternatively you can use rsync and display the process status.

 

  1. Once complete, restart all processes.

Check that all processes have started.

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “FortiSIEM Backing Up and Restoring FortiSIEM Directories and Databases

  1. hugh

    Great article. For the part regarding SVN copying and restore containing ‘device configurations’, is part of the SVN the CUSTOM rules, filters, searches, templates that we have created in-house?

    We are looking to migrate from 4.10 to 5.1, and would rather not lose the customized configurations.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.