Backing Up and Restoring Configuration Data On AWS

You can use the following information to back up and restore configuration data for deployed capabilities.

 

Backing Up Configuration Data On AWS

You can back up the configuration data for the deployed capabilities and ArcSight Platform components.

  1. Log in to the AWS Backup console at https://console.aws.amazon.com/backup.

  2. Attach the AWSBackupFullAccess policy to your IAM role.

    For more information, see Managed policies for AWS Backup in the AWS documentation.

  3. Create an AWS backup plan for the EFS that you created during installation.

    For more information, see Creating a backup plan in the AWS Documentation.

  4. Follow the onscreen prompts to complete the backup plan for backups at intervals of your choice with appropriate retention periods.
  5. After backup creation, in the left-hand pane select Protected resources to view a list of Resource IDs and Resource Types.

  6. To view associated backups available, click a Resource ID.

Restoring Configuration Data On AWS

When restoring data stores, retain the original directory structure and the pod-level sub-directory structure:

/<efs_server mount path>/arcsight-volume
The default EFS server mount path is /mnt/efs/<efs parent folder> .

  1. Ensure that you have valid AWS backups.

  2. Log in to the AWS Backup console at https://console.aws.amazon.com/backup.

  3. In the left-hand pane, select Protected resources to view a list of resources designated by Resource Type and Resource ID.

  4. To view the available Recovery point IDs, select a given Resource ID.

  5. Select a Recovery point ID and then click Restore.

  6. Keep default values on the page and then click Restore backup.

  7. In the left-hand pane, drill down to Jobs > Restore Jobs to view the restore job status.

    The Restore Job creates a new Recovery directory off of the root of the EFS with the recovered contents preserving the original path hierarchy.

  8. On the bastion host used for your AWS setup, run the following command:

    cd <INSTALLER_LOCATION>/aws-scripts/scripts
    Ensure to replace the <INSTALLER_LOCATION> variable, with a specific value, before you run the command.

  9. To view the restore script options, execute the following command:

    The nfs-arcsight-volume-restore.sh script must be run as root
    ./nfs-arcsight-volume-restore.sh -h

    Use the following parameters:

    -r | --restore-dir
    Specify the AWS restore directory name created in the mount location. This parameter is mandatory.
    -o | --older-backup
    Available pod backups. This parameter is optional.
    -p | --path
    Specify the EFS mount path. This parameter is mandatory.
    -h | --help
    Displays the command options.

  10. (Conditional) To restore to the latest EFS backup, execute the following command:

    The nfs-arcsight-volume-restore.sh script must be run as root
    ./nfs-arcsight-volume-restore.sh -r <restore_dir_in_mount_location> -p <mount_path>
    Replace the <restore_dir_in_mount_location> and <mount_path> variables, with specific values, before you run the command.

    For example:

    ./nfs-arcsight-volume-restore.sh -r aws-backup-restore_<TIMESTAMP> -p arcsight
    To restore to an earlier pod backup, use the -o parameter from the Usage Options.

  11. To complete the restore process, follow the onscreen instructions.

After following the configuration data restoration process, opening Fusion ArcMC from the Fusion dashboard can produce a 503 Service temporarily unavailable error. To resolve this issue, use the workaround described here.

  1. (Conditional) If Transformation Hub is deployed, complete the following steps:

    1. Mount and navigate to the EFS backup location.

    2. Navigate to the Transformation Hub directory.

      For example:

      /<efs mount location>/arcsight-volume/transformationhub/config/

    3. Ensure that the arcsight-volume is mounted, then navigate to /transformationhub/config/.

    4. If the file arcsight-env-override.properties exists in the backup location (12b), copy it to the arcsight-volume directory (12c) and then remove any file properties that do not apply to the restored environment.

  2. To get the names of pods to restart, execute the following command:

    kubectl get pods -n $( kubectl get namespaces | grep arcsight | cut -d ' ' -f1)
    Compare the output with the impacted pods listed in this table to know pods names.

  3. To restart pods listed in this table, execute the following command:

    kubectl delete pods -n $( kubectl get namespaces | grep arcsight | cut -d ' ' -f1) <space separated pod names>
    Ensure to replace the <space separated pod names> variable, with specific values, before you run the command.

    For example:

    kubectl delete pods -n $( kubectl get namespaces | grep arcsight | cut -d ' ' -f1) fusion-user-management-56497c76bb-mdmmz fusion-dashboard-web-app-7b864467d5-d2c8v fusion-metadata-rethinkdb-5c69c77756-hxxzg

  4. Remove the recovery directory restored from AWS to the default mount location in step 7 above.

    cd <default mount path>
    sudo rm -rf aws-backup-restore_<TIMESTAMP>
    Ensure to replace the <default mount path> and <TIMESTAMP> variables, with specific values respectively, before you run the command.
  5. Ensure that all pods display a running status:
    kubectl get pods --all-namespaces

  6. To verify restored data stores, log in to the associated application.