Use a Dark Spare Backup Appliance
You can purchase a Dark Spare Backup Appliance that can replace an existing appliance in the event of a failure. The Dark Spare must be for the specific appliance platform you want to replace, and you can use a Dark Spare to recover an appliance of lesser specifications.
This topic describes how to set up a Dark Spare system so it functions the same as the Primary System it is replacing, even though the Dark Spare does not have all the same configuration settings and databases as the Primary System. Specifically, this topic covers moving settings and databases between the Primary System and the Dark Spare, starting the necessary LogRhythm and Microsoft services on the Dark Spare, and configuring the host name and IP address of the Dark Spare.
Requirements
- The Primary System (XM1) and the Dark Spare (XM2) are identical XM4300 systems running the same version of LogRhythm (7.1.7 or later).
The Primary System—including Microsoft SQL databases (master, model, msdb), LogRhythm databases, and LogRhythm configurations—is backed up to a secure location not on the LogRhythm system itself, preferably on a regular basis. The folder on the Primary System and the Dark Spare that simulates a backup solution should be D:\DS-Backups.
Online events (i.e., data in the Data Indexer) are not backed up. This data can be restored by using Second Look to restore Archive files.
Backup Process
Step 1: Stop Services, Copy Databases, and Start Services
- On the Primary System, go to Start\Administrative Tools\Services.
- Right-click each LogRhythm service, and then click Stop.
- Right-click each Microsoft SQL service, and then click Stop.
- Copy the following LogRhythm and Microsoft databases and paste them to their corresponding locations on the Dark Spare system:
- LogRhythm database files (D:\LogRhythm)
- LogRhythm log files (L:\LogRhythm)
- Microsoft database files (D:\System)
- Microsoft log files (L:\System)
- On the Dark Spare, right-click each Microsoft SQL service, and then click Start.
- On the Dark Spare, right-click each LogRhythm service, and then click Start.
Step 2: Set the LogRhythm Configuration Managers on the Dark Spare
- On the Dark Spare, go to Start\Apps\AIEngine Configuration Manager.
- When the login screen appears, enter the Server and Password, and then click OK.
- Repeat this process for the other LogRhythm Configuration Managers:
- Data Processor Configuration Manager
- Job Manager Configuration Manager
- Platform Manager Configuration Manager
- System Monitor Configuration Manager
Step 3: Rename and Re-address the Dark Spare
- On the Dark Spare, go to Start\Control Panel\System, and then click Advanced system settings.
- Click the Computer Name tab, and then click Change.
- Enter the name of the Primary System (here, XM1) in the Computer name text field.
- Click OK.
Do not restart the system at this time. - Go to Control Panel\Network and Sharing Center.
- Click the Ethernet link, and then click Properties.
- Select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
- Select the Use the following IP address button, and then enter the IP address, subnet mask, and default gateway.
- Select the Use the following DNS server addresses button, and then enter your preferred and alternate DNS servers.
- Click OK, click OK, and then click Close to save all the changes.
Step 4: Run the IP and Host Name Change
If you are unable to change the IP address and host name of the Dark Spare in Microsoft SQL to that of the Primary System, run the script that follows on the Dark Spare, replacing the “zz” variable with the old and new host names and IP addresses of your Primary System and Dark Spare.
Example
SET @OldHostName = 'zzOLDHOSTNAME' --Replace with new appliance host name
/*
* LogRhythm Dark Spare Scripts
* 03/04/2012
*
* Version History
* v1.1 - CM - Script creation - 03/04/2013
* v1.2 - AHP - Updated to update the System Monitor Agent properties - 02/06/2013
* v1.3 - AHP - Updated to update the AIE properties - 17/07/2014
* v1.4 - Removed LMDB and RADB - 9/12/2016
*
* This is run against the Dark Spare
*
* Script updates the hostname and IP address of the Dark Spare box
*/
USE LogRhythmEMDB
GO
DECLARE @OldHostName nvarchar(128),@OldIPaddr nvarchar(128), @HostName nvarchar(128),@IPaddr nvarchar(128);
SET @OldHostName = 'zzOLDHOSTNAME' --Replace with new appliance hostname
SET @OldIPaddr = 'zzOLDIPADDR' --Replace with new appliance IP address
SET @HostName = 'zzHOSTNAME' --Replace with new appliance hostname
SET @IPaddr = 'zzIPADDR' --Replace with new appliance IP address
update host set Name = @HostName where Name = @OldHostName ;
print 'Entity Name'
update HostIdentifier set Value = @IPaddr where Value = @OldIPaddr
print 'Entity IP'
update HostIdentifier set Value = @HostName where Value = @OldHostName
print 'Entity Hostname'
update SystemMonitor set SyslogServerNIC = @IPaddr where SyslogServerNIC = @OldIPaddr --SyslogServerNIC IP Address
update SystemMonitor set SyslogParsedHosts = @IPaddr where SyslogParsedHosts = @OldIPaddr --Syslog Relay IP Address
update SystemMonitor set NetflowServerNIC = @IPaddr where NetflowServerNIC = @OldIPaddr --NetflowServerNIC IP Address
update SystemMonitor set SFlowServerNIC = @IPaddr where SFlowServerNIC = @OldIPaddr --SFlowServerNIC IP Address
update SystemMonitor set SNMPLocalIP = @IPaddr where SNMPLocalIP = @OldIPaddr --SNMPLocalIP IP AddressSMA SyslogIP
update SystemMonitorToMediator set ClientAddress = @IPaddr where ClientAddress = @OldIPaddr --SMA to Mediator ClientAddress IP
update SystemMonitor set Name = @HostName where Name like @OldHostName --SMA Display Name
print 'SMA SyslogIP, Syslog Relay IP, SMA NetFlowIP, SMA SFlowIP, SMA SNMPlocalIP, SMA HostName, SMA to Mediator ClientAddress IP'
update MsgSource set Name = @HostName + ' MS Security Log' where FilePath like @OldHostName + ':Security' --Security Log Source Display Name
update MsgSource set Name = @HostName + ' MS System Log' where FilePath like @OldHostName + ':System' --System Log Source Display Name
update MsgSource set Name = @HostName + ' MS App Log' where FilePath like @OldHostName + ':Application' --Application Log Source Display Name
update MsgSource set FilePath = @HostName + ':Security' where FilePath like @OldHostName + ':Security' --Security Log FilePath
update MsgSource set FilePath = @HostName + ':System' where FilePath like @OldHostName + ':System' --System Log FilePath
update MsgSource set FilePath = @HostName + ':Application' where FilePath like @OldHostName + ':Application' --Application Log FilePath
print 'SMA Log Source name updates, FilePath Updates'
update AIEserver set Config = '<?xml version="1.0"?> <AIEServerConfig xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ServerAddress>' + @IPaddr + '</ServerAddress> </AIEServerConfig>'
update AIEServer set Name = @HostName where Name = @OldHostName --LAIE Name Display Name
update AIEDataProvider set ProviderConfig = '<?xml version="1.0"?> <AIEDataProviderReceiverConfig xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ClientAddress>' + @IPaddr + '</ClientAddress> <ClientMgmtPort>0</ClientMgmtPort> <ClientDataPort>0</ClientDataPort> <ServerAddress>' + @IPaddr + '</ServerAddress> </AIEDataProviderReceiverConfig>'
print 'AIE Updates'
print 'END'
Step 5: Restart the Dark Spare
Restart the Dark Spare so the changes can take effect.