Description

This article describes how to backup and restore the event DB for FortiSIEM. 

Scope

FortiSIEM.

Solution

Backup:

In order to back up the data from event DB, situate the event data stored in /data/eventdb. Since this data can become very large over time, a program such as rsync can be used to incrementally move the data to another location.

1. Decide Network Location: e.g. NFS or SMB.
2. Before intializing backup, stop FortiSIEM services: phtools stop all
3. Check that all processes have stopped: phstatus
4. Backing up the EventDB can be done with two methods:
   1. Using Mysqldump: mysqldump -u root -p eventdb > /path/to/backup/eventdb_backup.sql
   2. Using rsync: rsync -a --progress /data/eventdb /<another>/<mount>/<point>
5. Check the backup: ls -lh /path/to/backup/eventdb_backup.sql
6. Restart FortiSIEM:  phtools start all

Restore:

In order to restore the event DB data, mount the directory where the event database was backed up.

$ sudo mkdir /media/newhd

   $ sudo mount /data/eventdb /media/newhd

   $ df -H

rsync -a --progress /backup/eventdb /data/eventdb

It is important to note that the event data logs are stored in a proprietary event database.

Related articles:

• Technical Tip: How to Migrate the eventdb/data to NFS - RSYNC
• Technical Tip: How to migrate data to NFS share - INTERNAL
• Technical Tip: [Accelops KB] How to configure Event DB backup with Remote Share