!!!Disclamer!!!

We would like to remind you that provided steps are intended as a

guideline and their scope is only best effort as there is currently no official
document for Backup and Restore of your ESM Environment.

The following Backup and restore documentation for ESM 6.5 and ESM 6.8 is based under the following
scenarios and can ONLY be applied under these circumstances.

1. The restoration process needs to be performed on a new ESM server running the same version of
ESM where the backup process was taken.

2. The server needs to be a brand new server recently installed with no prior archives or resources.

3. The connectors restoration process is not part of this backup as this process only focuses on backing
up resources (except for connectors) and archives so connectors need to be registered again.

4. The server may have a new IP address, hostname and Certificate and this process can still be
implemented as this scenario is contemplated when ESM wants to be migrated to a new hardware.

5. In case of disaster recovery, the events of the current day or day in course will always be lost as there
is no archive for such events and there is not a specific way to recover such events.

6. The archives are located on the default path which is /opt/arcsight/logger/data/archives and this path
can't be changed for this procedure to work.

7. These steps are applicable only for version 6.5 and 6.8 and cant be implemented on any other ESM
version.

1. Stop the manager service issuing the command /etc/init.d/arcsight_services stop manager

2. Run the command /opt/arcsight/manager/bin/arcsight export_system_tables -s arcsight

<DB_PASSWORD> arcsight and make sure to replace <DB_PASSWORD> with the actual CORR-E mysql
database password.

3. Move the file under /opt/arcsight/manager/tmp/arcsight_dump_system_tables.sql to a safe location

outside of ESM server.
4. Run the command /opt/arcsight/logger/current/arcsight/bin/mysqldump -uarcsight -
p<DB_PASSWORD> arcsight user_sequences > user_sequences.sql and make sure to replace
<DB_PASSWORD> with the actual password of your CORR-E mysql database.

5. Move the file user_sequences.sql generated on previous step to a safe location outside of ESM server.

6. Copy the archives directory located under /opt/arcsight/logger/data/archives to another server

7. Run the command /opt/arcsight/logger/current/arcsight/logger/bin/arcsight configbackup to make a

configuration backup of your ESM.

8. Move the file under /opt/arcsight/logger/current/arcsight/logger/tmp/configs/configs.tar.gz

generated on previous step to a safe location outside ESM server.

9. Run the command /etc/init.d/arcsight_services start manager to start the manager service again.

Restoration process.

1. Run the command /etc/init.d/arcsight_services stop manager to stop the manager services.

2. Move the files user_sequences.sql and arcsight_dump_system_tables.sql to

/opt/arcsight/manager/tmp directory.

3. Move the file configs.tar.gz to the directory /opt/arcsight/logger/current/backups/. In case the

directory doesn't exist then create it with arcsight:arcsight permissions

4. Run the command /etc/init.d/arcsight_services stop logger_servers to stop manager and logger
service

5. Run the command echo "select * from user_sequences;" |

/opt/arcsight/logger/current/arcsight/bin/mysql -u arcsight -p<DB_PASSWORD> arcsight to get the
initial values of such table before it is modified. Modified <DB_PASSWORD> with the CORR-E database
password.

6. Run the command /opt/arcsight/logger/current/arcsight/bin/mysql -u arcsight -p<DB_PASSWORD>

arcsight < /opt/arcsight/manager/tmp/user_sequences.sql to import the user sequences. Make sure to
replace the <DB_PASSWORD> with the actual CORR-E database password.

7. Run the command echo "select * from user_sequences;" |

/opt/arcsight/logger/current/arcsight/bin/mysql -u arcsight -p<DB_PASSWORD> arcsight to ensure the
values are updated so there are no events collisions. Replace <DB_PASSWORD> with the CORR-E
database password.

8. Run the command /opt/arcsight/manager/bin/arcsight import_system_tables arcsight

<DB_PASSWORD> arcsight arcsight_dump_system_tables.sql to import your resources into your new
ESM. Make sure you replace <DB_PASSWORD> with your CORR-E database password.

9. Place the archives under the directory /opt/arcsight/logger/data/archives with permissions set to
arcsight:arcsight and maintaining the original file structure.

10. Run the command /opt/arcsight/logger/current/arcsight/logger/bin/arcsight disasterrecovery start

to recover your archives.

11. Run the command /etc/init.d/arcsight_services start all to start all the ESM services.

There is another backup/restore procedure which you can implement which is considered a "snapshot"
of ESM, but we can't ensure such process will work as it is not possible to ensure the integrity of the files
is still the appropiate as no new installation is being performed.

Here are the steps for such recovery procedure.

Backup procedure.
1. Run the command /etc/init.d/arcsight_services stop all to stop all services.

2. Once the services are stopped, copy the entire /opt/arcsight directory issuing command cp -R
/op/arcsight <DESTINATION> to another server or backup server. Make sure to replace <Destination>
with a different disk on your server or partition. You can also use scp in case you want to make a copy to
another server via the network.

3. Run the command /etc/init.d/arcsight_services start all to start all services again.

Restore procedure.

1. Install a new server or the recovery server with the same OS version the original ESM Server had and
the same settings.

2. Create the arcsight user and arcsight group with the same username and password such user had on
the previous server.

3. Restore the /opt/arcsight directory as arcsight user.

4. Login as root user and run the command /opt/arcsight/manager/bin/setup_services.sh