Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
mbenvenuti
Staff
Staff

Created on ‎05-22-2024 05:10 AM

Article Id 316329

Technical Tip: How to copy data to a new FortiSIEM hardware

Description This article describes how to copy data to a new FortiSIEM hardware.
Scope FortiSIEM hardware machine.
Solution

When the initial FortiSIEM hardware machine is running into hardware issues like root disk unavailability or disk corruption, the machine can be powered up but the FortiSIEM application cannot be executed.

Follow these steps to copy the available data on the initial machine to a storage for backup or a new FortiSIEM hardware.

 

  1. Requirements.
    • 1 USB Thumbdrive 16GB for linux live.
    • Ubuntu Desktop Setup Files (such as ubuntu-24.04.2.0-desktop-amd64.iso).
    • Rufus (Bootable USB Utility) (download from https://rufus.ie/).
    • 1 USB hard disk or NFS Share or New FortiSIEM Hardware preconfigured with the same version as original machine, first configuration steps performed and FortiSIEM application running properly.

 

  1. Create a bootable Linux Image.
    1. Connect USB drive to the system (desktop or laptop).
    2. Open Rufus and select the following settings for the USB:
      1. Partition scheme and target system type: MBR partition scheme for BIOS or UEFI.
      2. File system: FAT32.
      3. Cluster size: 4096 bytes (Default).
      4. Quick Format: Enable.
      5. Create a bootable disk using: ISO image.
      6. Click on the 'CD-ROM' icon and select the Ubuntu Setup ISO.
      7. Click Start and allow Rufus to complete.
      8. Once finished, the disk is ready to boot.
        Note: Alternatively, you can use the Ubuntu guide for creating a USB drive with Ubuntu.

 

  1. Boot on the Ubuntu Live USB.
    • Plug the USB key on the Hardware.
    • At the boot menu, select 'Try Ubuntu'.
    • Wait for Ubuntu to load.

 

  1. Scan and identify disks from the FortiSIEM.
    1. Open a console in the Ubuntu Live.
    2. Scan the Logical volume group. The logical volumes are named after the Machine model (for ex: FSIEM2000F, FSIEM3500G, ... FSIEM3500G in this case but replace with the model being used).

sudo vgscan
Found volume group "rl" using metadata type lvm2
Found volume group "FSIEM3500G" using metadata type lvm2
sudo vgchange -ay FSIEM3500G
6 logical volume(s) in volume group "FSIEM3500G" now active
sudo lvdisplay
--- Logical volume ---
LV Path /dev/FSIEM3500G/phx_opt
LV Name phx_opt
VG Name FSIEM3500G
...
--- Logical volume ---
LV Path /dev/FSIEM3500G/phx_svn
LV Name phx_svn
VG Name FSIEM3500G
...
--- Logical volume ---
LV Path /dev/FSIEM3500G/phx_cmdb
LV Name phx_cmdb
VG Name FSIEM3500G
...
--- Logical volume ---
LV Path /dev/FSIEM3500G/phx_swap
LV Name phx_swap
VG Name FSIEM3500G
...
--- Logical volume ---
LV Path /dev/FSIEM3500G/phx_querydata
LV Name phx_querydata
VG Name FSIEM3500G
...
--- Logical volume ---
LV Path /dev/FSIEM3500G/phx_data
LV Name phx_data
VG Name FSIEM3500G
...

 

  1. Mount the valuable disks.

Volumes to mount:

  • /dev/mapper/FSIEM3500G-phx_data for the events received by the FortiSIEM and stored in the Online storage.
  • /dev/mapper/FSIEM3500G-phx_opt is dedicated to FortiSIEM binaries but is also the place where CMDB backup is stored (from v6.5.0).
  • /dev/mapper/FSIEM3500G-phx_svn for config changes on the devices previously discovered by the FortiSIEM.

Mount /dev/mapper/FSIEM3500G-phx_svn & /dev/mapper/FSIEM3500G-phx_data and check that it's mounted correctly:

 

sudo mkdir /mnt/data

sudo mount /dev/mapper/FSIEM3500G-phx_data /mnt/data

sudo mkdir /mnt/opt

sudo mount /dev/mapper/FSIEM3500G-phx_opt /mnt/opt

sudo mkdir /mnt/svn

sudo mount /dev/mapper/FSIEM3500G-phx_svn /mnt/svn

ls -l /mnt/data

total 16
lrwxrwxrwx 1 postgres postgres 12 Mar 11 17:17 archive -> /opt/archive
drwxr-xr-x 2 root root 6 Mar 11 17:16 backup
drwxr-xr-x 2 admin admin 6 Feb 29 23:42 cache
drwxr-xr-x 2 postgres postgres 6 Mar 11 17:16 cmdb
drwxr-xr-x 2 admin admin 8192 May 21 15:52 custParser
drwxrwxr-x 2 admin admin 31 Apr 18 14:36 eventDataSum
drwxr-xr-x 8 admin admin 111 May 8 01:03 eventdb
drwxr-xr-x 2 admin admin 26 Mar 1 00:50 jmxXml
drwxr-xr-x 2 admin admin 4096 Mar 1 00:50 mibXml
drwx------ 3 admin admin 20 Mar 12 09:11 precomputedb
drwxr-xr-x 2 admin admin 6 Mar 11 17:16 reportdb

ls -l /mnt/opt

total 13064
drwxrwxr-x 3 postgres postgres 18 Mar 12 03:00 archive
drwxr-xr-x 5 admin admin 257 May 22 01:00 charting
drwxr-xr-x 4 clickhouse clickhouse 28 Mar 11 17:21 clickhouse
drwxrwxr-x 2 postgres postgres 6 Mar 11 17:16 db-backup
drwxr-xr-x 5 admin admin 258 May 22 01:00 exporter
drwxrwxr-x 5 admin admin 44 Mar 11 17:17 fortiinsight-ai
lrwxrwxrwx 1 root root 25 Mar 11 17:17 glassfish -> /opt/glassfish5/glassfish
drwxr-xr-x 7 admin admin 92 Mar 1 00:50 glassfish5
lrwxrwxrwx 1 root root 12 Apr 8 18:03 Java -> /opt/openjdk
drwxr-xr-x 5 admin admin 225 Mar 1 00:50 jsreport
drwxr-xr-x 7 admin admin 206 Mar 11 17:43 node-rest-service
lrwxrwxrwx 1 root root 40 Mar 11 17:17 openjdk -> /etc/alternatives/java_sdk_1.8.0_openjdk
drwxr-xr-x 23 root root 4096 May 22 11:07 phoenix
drwxr-xr-x 2 root root 4096 Mar 1 00:50 rpm
drwxr-xr-x 3 admin admin 149 Mar 1 00:50 selenium
drwxr-xr-x 3 admin admin 19 Mar 11 17:16 vmware
drwxrwxr-x 6 admin admin 133 Mar 1 00:51 zookeeper
-rw-r--r-- 1 root root 13368512 Mar 1 00:50 zookeeper.tar.gz

ls -l /mnt/svn

total 0
drwxr-xr-x 3 root root 36 Apr 5 18:07 repos

 

 

  1. Copy to destination.

Check the size of the data to backup.

 

df -h

 

  • On a backup USB disk

Mount the USB disk and run the next command to start to copy.

 

mkdir /path_to_usb/CMDB_Backup

rsync -az /mnt/opt/archive/cmdb/ /path_to_usb/CMDB_Backup

rsync -az /mnt/data /path_to_usb/

rsync -az /mnt/svn /path_to_usb/

 

  • On a backup NFS share.

Mount the NFS share of choice and run the following command to start copying.

 

sudo mkdir /mnt/backups

sudo mount -t nfs nfs_machine_ip:/shared_folder /mnt/backups

mkdir /mnt/backups/CMDB_Backup

rsync -az /mnt/opt/archive/cmdb/ /mnt/backups/CMDB_Backup

rsync -az /mnt/svn /mnt/backups/
rsync -az /mnt/data /mnt/backups/

 

  • On a new hardware machine with the FortiSIEM with the same version as original machine, running properly:

Restore CMDB:

 

rsync -az /mnt/opt/archive/cmdb/ root@new_machine:/data/archive/cmdb

phxctl stop

cp  /data/archive/cmdb/phoenixdb_<timestamp> /tmp/

/opt/phoenix/deployment/db_restore.sh /tmp/phoenixdb_<timestamp>

 

If the new FortiSIEM machine has different IP than the previous FortiSIEM, review the IP configuration: Troubleshooting-Tip-How-to-validate-Super-IP-change.

 

reboot

 

Copy the rest of the data:

 

rsync -az /mnt/data/ root@new_machine:/data

rsync -az /mnt/svn/ root@new_machine:/svn
127
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.