ArcSight Infrastructure Backup Practices

Summary:

This document outlines the necessary procedures for backing up an ArcSight infrastructure, which consists of multiple appliances working together in a fail-safe configuration. The main components discussed are ArcSight Logger and ESM Manager, with specific strategies tailored to both small and large setups. In larger environments, redundant appliances ensure high availability; however, managing complex configurations can lead to overhead. For ArcSight Logger hardware, internal disks, SANs, or NFS fileshares are recommended for data storage. The ArcSight ESM Manager is backed up by archiving its directory when operational, with OS file level backups depending on organizational capabilities. Database backup is a more challenging aspect requiring adherence to specific Oracle database policies; options include RMAN for comprehensive backups and enabling Archive Logging based on performance considerations.

Details:

Title: ArcSight Infrastructure Backup Practices Date: July 28, 2010 Author: Jonathan Katz **Introduction:** The typical ArcSight infrastructure comprises several components that operate autonomously and necessitate distinct backup methods for continuity of business operations. Understanding their interdependencies is crucial in designing an effective backup strategy for the entire system. **Approaches:** ArcSight infrastructure can be analyzed from different perspectives, such as functionality or technological category. A comprehensive approach involves considering all components and how they interact during events. This document follows the event flow through the ArcSight infrastructure to address disaster recovery (DR) and backup issues effectively. **Appliances:** In a typical medium-to-large ArcSight setup, multiple appliances are used to manage log collection and analysis across various data centers or handle feeds from a single source. Fail-safety can be achieved by having redundant appliances operating in parallel (Active/Active configuration). **High-Availability Appliances:** This refers to configurations where multiple appliances store the same data, ensuring that if one fails, the others continue to operate and provide service. This setup enhances resilience against disasters, allowing analysts to access event data from alternative sources without significant downtime or loss of operational capability. This text discusses backup procedures for infrastructure systems and how they can be configured to maintain high availability. It states that an alternate set of equipment may serve as a backup, either taking on a smaller size or acting as a testbed before being upgraded for full production use in case of prolonged outages. The need for event backups is redundant since the alternate set becomes the live backup. Configuration and settings are backed up through appliance features to ensure they can be restored if needed. Backup intervals depend on site policy, typically daily, weekly, or monthly after installation stabilization. In smaller environments without multiple appliances, a single appliance with ArcSight Connectors can feed data to both Logger and ESM installations simultaneously, providing high availability in case of failure. However, managing connectors from an ESM instance becomes more complex as the number increases, leading to overhead. The article discusses backup strategies for the ArcSight ESM Manager in both smaller and larger environments. For smaller installations, the issue of resources consumed by the manager might not be a concern; however, in larger environments, this can become a factor due to its potential impact on performance or scalability. Additionally, the single connector mentioned could act as a single point of failure. The article also covers different methods for backing up ArcSight Logger hardware, including storing data on internal disks, SANs, or exporting events onto an NFS fileshare. These can serve as backup solutions for events from a single logger device. When it comes to the ArcSight ESM Manager itself, backups are relatively simple and can be performed by archiving its directory when in production. The configuration of the manager is static unless manually altered, so backups can be made infrequently, such as monthly. OS file level backups might also be relied upon based on an organization's competence and execution of backup policies. The most challenging aspect mentioned is backing up the ArcSight database, which often requires adherence to specific policies for Oracle databases. The question "why do we need to back it up?" highlights that while important, there are debates about the necessity of backing up such systems. Ultimately, adhering to an organization's backup policy and competence in execution will determine the effectiveness of these strategies. The text emphasizes the importance of configuring databases and managing event data efficiently within them. When multiple loggers are used, they contribute similar data which effectively serves as backups in case direct access to the database is needed. Therefore, only specific ArcSight system tables need to be backed up, with options available to schedule regular dumps or use RMAN for Oracle Database backups. It also mentions that enabling Archive Logging can optimize back-up and recovery processes but comes at a cost of performance. The decision on whether to enable Archive Logging should consider the balance between recovery efficiency and operational performance. Depending on organizational needs, RMAN can be configured to either backup only critical ArcSight system tables or the entire database for comprehensive backups.