Skip to main content
Skip table of contents

Backup and Recovery Procedures

This topic describes the backup and restoration guidelines and procedures required for recovery of LogRhythm versions 7.x and later – it does not apply to LogRhythm versions earlier than 7.x. Following these guidelines ensures that your LogRhythm deployment and data can be restored from scheduled backups and archived log data in the event of a failure or disaster.

LogRhythm Data Layout

To understand and evaluate what should be backed up, this section describes the data layout and locations within the LogRhythm deployment.

There are four types of systems in a LogRhythm Deployment: the Platform Manager, Data Indexers, Data Processors, and systems hosting LogRhythm Agents, including the Platform Manager and Data Processor.

There are two types of data that can be backed up; SQL databases and the LogRhythm component service directories. The SQL databases store the configuration and event and alarm data. The component service directories contain local service configurations and state files.

Platform Manager

The Platform Manager houses the following LogRhythm data:

  • SQL Server databases:

    • LogRhythmEMDB

    • LogRhythm_Alarms

    • LogRhythm_CMDB

    • LogRhythm_Events

    • LogRhythm_LogMart

  • Component Service Directories:

    • LogRhythm Alarming and Response Manager

    • LogRhythm Job Manager

    • LogRhythm System Monitor

Data Indexer

The Data Indexer houses the following LogRhythm data:

  • Elastic search repositories for log and archive data

Data Processor

The Data Processor houses the following LogRhythm data:

  • Component Service Directories:

    • LogRhythm Mediator Server

    • LogRhythm System Monitor

Agents

A system hosting a LogRhythm Agent houses LogRhythm data in the Component Service Directories - LogRhythm System Monitor.

Risk Assessment

Each site must take into consideration its own requirements and resources such as time and storage capacity when scheduling backups.

A full recovery of your LogRhythm deployment can only be performed up to the point of the last complete Platform Manager database backup. Data collected between backups of these databases may be lost if any unscheduled downtime is caused by a failure or disaster.

Minimal Backup

If site-specific restraints prevent you from doing a full backup of all databases and service directories, the minimal recommended backup includes the LogRhythm EMDB.

In the event of a failure or disaster, this minimal backup allows a complete restoration of the LogRhythm configuration.

Even with this minimal backup, log and LogMart data can be partially restored from LogRhythm Archives via the SecondLook functionality of the LogRhythm Client Console.

Full Backup

A full backup consists of all the SQL databases in a LogRhythm deployment and the service directories for each deployed LogRhythm software component. Backing up the SQL databases ensures that the central configuration and data of the deployment is recoverable. Backing up the component service directories ensures that the collection and processing state of each component is preserved.

Components in the full backup include:

  • LogRhythm EMDB

  • LogRhythm LogMart database

  • LogRhythm Alarms database

  • LogRhythm Events database

  • LogRhythm Case Management database

  • Component service directories

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close