ESM 6.0c CORR-Engine Archive Backup and Restore

Summary:

The document, "ESM 6.0c / CORR-Engine archive backup and restore," provides a method for backing up and restoring data from ESM 6.0c or CORR-Engine in case of system failure, corruption, or hardware issues. Authored by Alain Barringer, the document suggests using IROCK's solution to export and import system tables as a disaster recovery method. The process involves exporting and importing system tables via IROCK's archive feature for data backup and restoration. The document outlines two test setups: one at the customer site and another through a home office lab environment. Key steps include generating a system table, shutting down logger services, restoring archived files, and running specific commands to associate them with ArcSight ESM 6.0c after import. The process is supported by a PDF attachment detailing all necessary steps and command flag options for using the 'restorearchives' command. In summary, this document provides a step-by-step guide on how to use IROCK's archive feature to backup and restore ESM 6.0c or CORR-Engine data in case of system issues, with detailed instructions for both customer site and home office setups.

Details:

The document "ESM 6.0c / CORR-Engine archive backup and restore" outlines a method for backing up and restoring data from the ESM (Enterprise Security Manager) 6.0c or CORR-Engine in case of system failure, corruption, or hardware issues. Authored by Alain Barringer, it suggests using IROCK's solution to export and import system tables as a disaster recovery method. The document includes details on how the author discovered this approach during an engagement where users were unaware that there was no native archive feature in the software. The document starts with a brief overview of the purpose, which is to provide steps for backing up and restoring data from ESM 6.0c or CORR-Engine in scenarios where normal backup methods fail due to hardware or software issues. It mentions that many users believed this was an acknowledged issue without a solution; however, upon researching, they found a workaround through IROCK's archive feature. The document provides the link to a specific message on the IROCK platform, which discusses exporting and importing system tables as a means to back up data. The author confirms that their tests in a lab environment successfully exported and imported all previous resources content when performing this process, although they faced issues with archiving other types of data, highlighting the need to focus specifically on system tables for recovery purposes. In summary, the document serves as a guide for restoring critical data from ESM 6.0c or CORR-Engine in case of failure through an external archive method, provided by IROCK, which is not natively available in these systems. The document discusses a process to restore archive files for the ArcSight ESM (Extended System Management) 6.0c, including detailed steps and commands for both customer site and home office setups via a lab environment. Key points include: 1. **Test Setup at Customer Site:**

• A system table was generated.

• The shutdown logger service.

• Archive files were copied off the server to simulate a nightly backup, uninstalled the current ESM 6.0c, and re-installed it.

• Shutdown the ESM Manager service, imported the system table, started the ESM Manager service, stopped the logger service, restored the archives, and restarted the logger service. However, the archives were not recognized initially.

2. **Test Setup at Home Office via LAB:**

• The critical step missed in the first test was to associate the archive files with the ArcSight ESM 6.0c after restoring them.

• Command 'arcsight restorearchives' should be run after restoring archives and before restarting the logger service.

3. **Documentation Reference:**

• A PDF attachment (ESM_AdminGuide_6.0c.pdf) is provided for reference, which includes complete steps and command flag options for using the 'restorearchives' command to associate archive files with the ESM 6.0c.

4. **Action Items:**

• Ensure to run the 'arcsight restorearchives' command after restoring archives and before restarting the logger service.

• Refer to the attached PDF (ESM_AdminGuide_6.0c.pdf) for detailed steps and additional information on using the restore command.