Backup / Restore

Backup: Alert data (Cold Storage)

Alert data is rotated and compressed in json and log format every 24 hours. AEO indexes the json data in console, and this data is the primary focus for backups.

Step 1: Backup/Transfer archive data

Copy /var/ossec/logs/alerts/<YYYY>/<Mon>/ to the backup location.

Example (rsync over ssh):

rsync -av -e ssh root@aeo:/var/ossec/logs/alerts/2020/* /mnt/backup

Restore: Alert data (Cold Storage)

Step 1: Transfer cold storage to hot storage

Copy backup data to /var/ossec/logs/alerts/<YYYY>/<Mon>/

Example (rsync over ssh):

rsync -av -e ssh /mnt/backup/ root@aeo:/var/ossec/logs/alerts/2020/

Step 2: Re-index restored data

On the AEO hub run:

systemctl stop awpd

/var/awp/bin/awp_indexgen

systemctl start awpd

Note

Index generation can take several minutes per file.