Log Correlation Engine Backup Strategy



Similar documents
Patch Management Integration

3D Tool 2.0 Quick Start Guide

Nessus and Mobile Device Scanning. November 7, 2014 (Revision 12)

Log Correlation Engine 4.6 Quick Start Guide. January 25, 2016 (Revision 2)

WHITEPAPER. Nessus Exploit Integration

SecurityCenter 4.2 Administration Guide

SecurityCenter 4.4 Administration Guide

May 11, (Revision 10)

Nessus and Antivirus. January 31, 2014 (Revision 4)

Nessus Credential Checks for Unix and Windows

Nessus Enterprise for Amazon Web Services (AWS) Installation and Configuration Guide. July 16, 2014 (Revision 2)

How To Run The Nessus 6 Vulnerability Scanner On A Pc Or Mac Or Linux (For A Non-Procedure) On A Microsoft Mac Or Pc Or Linux On A Mac Or Mac (For An Unprocedured Pc Or

April 11, (Revision 2)

Log Correlation Engine 4.2 Administration and User Guide. May 14, 2014 (Revision 2)

Tenable Webcast Summary Managing Vulnerabilities in Virtualized and Cloud-based Deployments

SecurityCenter 4.4 Architecture

Log Correlation Engine 4.0 Administration and User Guide. March 5, 2013 (Revision 6)

Nessus Perimeter Service User Guide (HTML5 Interface) March 18, 2014 (Revision 9)

Real-Time Auditing for SANS Consensus Audit Guidelines

Log Correlation Engine 4.2 High Availability Large Scale Deployment Guide. February 19, 2014 (Revision 2)

Passive Vulnerability Scanner 4.0 User Guide. September 18, 2014 (Revision 12)

Red Hat System Administration 1(RH124) is Designed for IT Professionals who are new to Linux.

SecurityCenter 4.8 Administration Guide. October 2, 2015 (Revision 13)

Log Correlation Engine 4.2 Client Guide. September 11, 2015 (Revision 23)

Log Correlation Engine 4.2 Architecture Guide. October 3, 2013 (Revision 2)

Nessus Enterprise Cloud User Guide. October 2, 2014 (Revision 9)

Configuring Virtual Switches for Use with PVS. February 7, 2014 (Revision 1)

Passive Vulnerability Scanner 4.2 User Guide. June 8, 2015 (Revision 12)

Continuous Network Monitoring

Plesk 8.3 for Linux/Unix Acronis True Image Server Module Administrator's Guide

Using the Tenable Solution to Audit and Protect Firewalls, Routers, and Other Network Devices May 14, 2013 (Revision 1)

Using Symantec NetBackup with Symantec Security Information Manager 4.5

Unless otherwise noted, all references to STRM refer to STRM, STRM Log Manager, and STRM Network Anomaly Detection.

MapGuide Open Source Repository Management Back up, restore, and recover your resource repository.

webmethods Certificate Toolkit

Log Correlation Engine 3.6 Log Normalization Guide

2 Advanced Session... Properties 3 Session profile... wizard. 5 Application... preferences. 3 ASCII / Binary... Transfer

Log Correlation Engine 4.4 Client Guide. February 13, 2015 (Revision 2)

Security Event Management. February 7, 2007 (Revision 5)

McAfee SMC Installation Guide 5.7. Security Management Center

Tenable Appliance Guide

VERITAS NetBackup Microsoft Windows User s Guide

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

SIEBEL SERVER ADMINISTRATION GUIDE

4PSA Total Backup User's Guide. for Plesk and newer versions

Cisco Setting Up PIX Syslog

SOA Software API Gateway Appliance 7.1.x Administration Guide

How To Backup A Database In Navision

June 8, (Revision 1)

RSA Security Analytics

Log Correlation Engine 4.2 Log Normalization Guide. October 3, 2013 (Revision 3)

SSL: A False Sense of Security? How the Tenable Solution Restores SSL Effectiveness and Mitigates Related Threats

StarWind iscsi SAN Software: Tape Drives Using StarWind and Symantec Backup Exec

Log Correlation Engine Best Practices

Configuring LocalDirector Syslog

Trend Micro Encryption Gateway 5

How to Tunnel Remote Desktop Through SSH on a Windows Computer

Blended Security Assessments

Plesk 8.0 for Linux/UNIX Backup and Restore Utilities

IMF Tune v7.0 Backup, Restore, Replication

Basic System. Vyatta System. REFERENCE GUIDE Using the CLI Working with Configuration System Management User Management Logging VYATTA, INC.

Intuit QuickBooks Enterprise Solutions. Linux Database Server Manager Installation and Configuration Guide

StarWind iscsi SAN Software: Using StarWind with MS Cluster on Windows Server 2008

Unix Sampler. PEOPLE whoami id who

LogLogic Trend Micro OfficeScan Log Configuration Guide

Copyright 2012 Trend Micro Incorporated. All rights reserved.

Tenable Appliance 2.8 Guide. June 24, 2014 (Revision 3)

TIBCO Fulfillment Provisioning Session Layer for FTP Installation

753 Broad Street Phone: Suite 200 Fax: Augusta, GA Copyrights

Hillstone StoneOS User Manual Hillstone Unified Intelligence Firewall Installation Manual

SWsoft Plesk 8.2 for Linux/Unix Backup and Restore Utilities. Administrator's Guide

Using Nessus In Web Application Vulnerability Assessments

Enabling NetFlow on Virtual Switches ESX Server 3.5

NAS 259 Protecting Your Data with Remote Sync (Rsync)

Nessus Credentialed Checks. November 24, 2014 (Revision 38)

How To Use The Policy Patrol Archiver Server

Secure Web Gateway Version 11.7 High Availability

IM and Presence Disaster Recovery System

LogLogic Cisco IPS Log Configuration Guide

Quest Privilege Manager Console Installation and Configuration Guide

LogLogic General Database Collector for Microsoft SQL Server Log Configuration Guide

EMC Data Domain Management Center

How to Copy A SQL Database SQL Server Express (Making a History Company)

Attix5 Pro Server Edition

Chapter 1: How to Register a UNIX Host in a One-Way Trust Domain Environment 3

Log Correlation Engine Log Normalization Guide. December 22, 2014 (Revision 2)

Configuring ADOBE LIVECYCLE ES4 Application Server Cluster using WEBSPHERE

QuickBooks Enterprise Solutions. Linux Database Server Manager Installation and Configuration Guide

TIBCO Hawk SNMP Adapter Installation

How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security

Transcription:

Log Correlation Engine Backup Strategy August 10, 2012 (Revision 1) Copyright 2002-2012 Tenable Network Security, Inc. Tenable Network Security, Nessus and ProfessionalFeed are registered trademarks of Tenable Network Security, Inc. Tenable, the Tenable logo, the Nessus logo, and/or other Tenable products referenced herein are trademarks of Tenable Network Security, Inc., and may be registered in certain jurisdictions. All other product names, company names, marks, logos, and symbols may be the trademarks of their respective owners. Tenable Network Security, Inc. 7063 Columbia Gateway Drive, Suite 100, Columbia, MD 21046 410.872.0555 sales@tenable.com www.tenable.com

Table of Contents Introduction... 3 Standards and Conventions... 3 Overview...... 3 Backing up LCE Data Using forward-syslog... 3 Backing up LCE Data Using rsync... 4 Frequency and Scope... 4 Downtime... 4 Running rsync... 5 Confirming Data Synchronization... 6 About Tenable Network Security... 7 Copyright 2002-2012 Tenable Network Security, Inc. 2

INTRODUCTION This document describes procedures for backing up Tenable Network Security s Log Correlation Engine (LCE) data. Installation, configuration, and management of LCE are covered by other documents. Please email any comments and suggestions to support@tenable.com. A basic understanding of LCE functionality, SecurityCenter, and system administration is assumed. STANDARDS AND CONVENTIONS Throughout the documentation, filenames, daemons, and executables are indicated with a courier bold font such as gunzip, httpd, and /etc/passwd. Command line options and keywords are also indicated with the courier bold font. Command line examples may or may not include the command line prompt and output text from the results of the command. Command line examples will display the command being run in courier bold to indicate what the user typed while the sample output generated by the system will be indicated in courier (not bold). Following is an example running of the Unix pwd command: # pwd /opt/sc4/daemons # Important notes and considerations are highlighted with this symbol and grey text boxes. Tips, examples, and best practices are highlighted with this symbol and white on blue text. OVERVIEW Technologies and strategies to back up data can vary greatly from one organization to another. This document is intended to suggest some simple methods to back up LCE data for organizations that may not have a comprehensive backup policy or procedure. The procedures described in this document are not intended to replace your current backup strategy, but are suggested methods to consider if you do not have an existing infrastructure to back up data. BACKING UP LCE DATA USING FORWARD-SYSLOG The forward-syslog option is available as a part of the LCE server configuration. While enabling this option does not back up the LCE server and configuration, the data can be forwarded to one or more dedicated syslog servers or other LCEs as the events arrive. Edit the /opt/lce/daemons/lce.conf file to enable the forward-syslog option. The format of the option is forward-syslog IP:port,exclude_header. If no port is specified, Copyright 2002-2012 Tenable Network Security, Inc. 3

UDP 514 is assumed. The exclude_header option determines if the LCE header is included in the syslog record that is forwarded. When set to 1, only the original log is forwarded without any information that it was forwarded from the LCE server. If unset or set to 0, it will include the LCE header when forwarding logs. If you have more than one LCE or syslog server to forward data to, specify each one on a separate line as shown in the following example: forward-syslog 192.168.10.10 forward-syslog 192.168.10.50:1234,0 forward-syslog 192.168.20.30:514,1 BACKING UP LCE DATA USING RSYNC The rsync utility enables you to back up only the LCE data that has changed since the last backup. There are a few issues to take into consideration when backing up an LCE server using rsync: > Frequency and scope of backup > Scheduling downtime Using rsync commands incorrectly can lead to data loss. It is very important to ensure the commands are entered correctly. If the source and target are reversed, the data from the backup location will overwrite the production data. FREQUENCY AND SCOPE It is recommended that the entire /opt/lce directory tree be backed up on a regular basis. The bulk of the space in this directory will consist of the LCE databases that contain the stored log data. Once the initial rsync is complete, the data copied will only consist of incremental changes to stored data, log files, PRMs, TASLs, and configuration data. Note: rsync is not intended for version management. This utility is designed to synchronize the data between two locations. The deltas that are backed up overwrite previous versions of files in the archive and do not maintain the older version. For example, if you performed a backup on a Tuesday and ran rsync every day for several days after, you could not roll back to the Tuesday version of the data. DOWNTIME Downtime will need to be scheduled to gain the most complete backups possible. It is not recommended that rsync be performed on a live system for several reasons. The first reason is that the current silo and associated files that are recording log data will be changing during the rsync process and will not match during verification attempts. Another concern is that log files will likely change during the rsync process and will not match verification after the rsync is complete. These logs include those in /opt/lce/admin/log and /opt/lce/log_archive (if in use). Copyright 2002-2012 Tenable Network Security, Inc. 4

The last thing to note is that when performing the rsync while LCE is running, incoming data may be lost. On a busy LCE server, the incoming logs continue to be sent from their sources and the rsync process can send a lot of data across the same network interface(s). This may cause congestion that hinders both the collection of logs and the rsync process. If the LCE server is shut down for the rsync process, data from LCE clients will be cached until the server comes back online. However, data from syslog and other sources will be lost as they do not know when the LCE server is not available. RUNNING RSYNC While specific environmental variables must be considered, testing has determined that the best generic method is the following command syntax as the root user: # rsync -avzr -e ssh --delete /opt/lce/ root@<host>:/opt/lce/ The breakdown of the command is as follows: Command Element Description -a Sets the archive bit -v Displays verbose progress messages to the terminal screen -z Compresses the data before sending to the target machine -r Copies subdirectories -e --delete /opt/lce/ root@<host>:/opt/lce/ Tells rsync which shell to use (in this case, ssh is specified to encrypt the data during transfer) Compares the list of files available from the source host with the destination host. If the source no longer contains a file listed on the destination, the destination copy will be removed. Represents the source directory to copy data from Represents the destination directory. In this case, we are logging in as the root user. Replace <host> with the DNS name or IP address of the destination server, and specify the directory to copy to. If the directory does not exist, it will be created. Replace this with /path/to/local/directory if the destination is mounted on the same host as the LCE server. Copyright 2002-2012 Tenable Network Security, Inc. 5

CONFIRMING DATA SYNCHRONIZATION Results of the rsync process can be confirmed by comparing MD5 checksum information of the source and copied data. Collect the md5sums of the source data to a text file just prior to or just after rsync completion with a command such as: # find /opt/lce/ -type f -print0 xargs -0 md5sum > lce_checksums.md5 This process may take quite some time depending on the number of files, their sizes, and the resources of the host server. The file will likely contain thousands of lines similar to: 0ef2b321b7d053f95fe4504c8fdd78ef /opt/lce/lce.txt The data at the start of the line is the md5sum, and the latter part is the associated file name. Once the process is complete, copy the lce_checksums.md5 file to the target system. On the target system, edit the lce_checksums.md5 file to reflect the proper path to the rsync target if it was different than /opt/lce/. Next, run the following command: # md5sum -c lce_checksums.md5 grep -i failed > failed_check.txt The command compares the lce_checksums.md5 list of files and checksums against the targeted files on the local file system. Any of the files that return as failed in matching will be directed to the failed_check.txt file. This file may be reviewed for the files that show a different md5sum on the target machine than the source. If a file contains a different md5sum, that indicates a difference in the source and destination files. Leaving out the grep -i failed portion of the command will save a list all of the compared files, both successful and failed. Leaving out the > failed_check.txt portion of the command will simply display the results in the terminal window without saving the output. Copyright 2002-2012 Tenable Network Security, Inc. 6

ABOUT TENABLE NETWORK SECURITY Tenable Network Security, the leader in Unified Security Monitoring, is the source of the Nessus vulnerability scanner and the creator of enterprise-class, agentless solutions for the continuous monitoring of vulnerabilities, configuration weaknesses, data leakage, log management, and compromise detection to help ensure network security and FDCC, FISMA, SANS CAG, and PCI compliance. Tenable s award-winning products are utilized by many Global 2000 organizations and Government agencies to proactively minimize network risk. For more information, please visit http://www.tenable.com/. Tenable Network Security, Inc. 7063 Columbia Gateway Drive Suite 100 Columbia, MD 21046 410.872.0555 www.tenable.com Copyright 2002-2012 Tenable Network Security, Inc. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information