Skip to main content
Skip table of contents

Use a Dark Spare Backup Appliance

You can purchase a Dark Spare Backup Appliance that can replace an existing appliance in the event of a failure. The Dark Spare must be for the specific appliance platform you want to replace, and you can use a Dark Spare to recover an appliance of lesser specifications.

This topic describes how to set up a Dark Spare system so it functions the same as the Primary System it is replacing, even though the Dark Spare does not have all the same configuration settings and databases as the Primary System. Specifically, this topic covers moving settings and databases between the Primary System and the Dark Spare, starting the necessary LogRhythm and Microsoft services on the Dark Spare, and configuring the host name and IP address of the Dark Spare.

Requirements

  • The Primary System (XM1) and the Dark Spare (XM2) are identical XM or PM systems running the same version of LogRhythm.

  • The Primary System (including Microsoft SQL databases (master, model, msdb), LogRhythm databases, and LogRhythm configurations) are backed up to a secure location, not on the LogRhythm system itself, preferably on a regular basis.

Online events (i.e., data in the Data Indexer) are not backed up. This data can be restored by using Second Look to restore Archive files.

Backup Process

Step 1: Stop Services, Copy Databases, and Start Services

  1. On both the Primary and Dark Spare System, go to Start\Administrative Tools\Services.

  2. Right-click each LogRhythm service, and then click Stop.

  3. Right-click each Microsoft SQL service, and then click Stop.

  4. Copy the following LogRhythm and Microsoft databases and paste them to their corresponding locations on the Dark Spare system:

    • LogRhythm database files (D:\LogRhythm)

    • LogRhythm log files (L:\LogRhythm)

    • Microsoft database files (D:\System)

    • Microsoft log files (L:\System)

  5. On the Dark Spare, right-click each Microsoft SQL service, and then click Start.

  6. On the Dark Spare, right-click each LogRhythm service, and then click Start.

Step 2: Set the LogRhythm Configuration Managers on the Dark Spare

  1. On the Dark Spare, go to Start\Apps\AIEngine Configuration Manager.

  2. When the login screen appears, enter the Server and Password, and then click OK.

  3. Repeat this process for the other LogRhythm Configuration Managers:

    • Data Processor Configuration Manager

    • Job Manager Configuration Manager

    • Platform Manager Configuration Manager

    • System Monitor Configuration Manager

Step 3: Rename and Re-address the Dark Spare

  1. On the Dark Spare, go to Start\Control Panel\System, and then click Advanced system settings.

  2. Click the Computer Name tab, and then click Change.

  3. Enter the name of the Primary System (here, XM1) in the Computer name text field.

  4. Click OK
    Do not restart the system at this time.

  5. Go to Control Panel\Network and Sharing Center.

  6. Click the Ethernet link, and then click Properties.

  7. Select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  8. Select the Use the following IP address button, and then enter the IP address, subnet mask, and default gateway.

  9. Select the Use the following DNS server addresses button, and then enter your preferred and alternate DNS servers.

  10. Click OK, click OK, and then click Close to save all the changes.

Step 4: Run the IP and Host Name Change

Run the script that follows on the Dark Spare, replacing the “zz” variables with the old and new host names and IP addresses of your Primary System and Dark Spare.

CODE 
/*
* LogRhythm Dark Spare Scripts - 03/04/2012
* Version History
* v1.1 - CM - Script creation - 03/04/2013
* v1.2 - AHP - Updated to update the System Monitor Agent properties - 02/06/2013
* v1.3 - AHP - Updated to update the AIE properties - 17/07/2014
* v1.4 - Removed LMDB and RADB - 9/12/2016
* v1.5 SC - Minor corrections and formatting - 14/01/2026
*
* This is run against the Dark Spare and updates the hostname and IP address details
*/

USE LogRhythmEMDB
GO
DECLARE @OldHostName nvarchar(128),@OldIPaddr nvarchar(128), @HostName nvarchar(128),@IPaddr nvarchar(128);

SET @OldHostName = 'zzOLDHOSTNAME' --Replace with OLD appliance hostname
SET @OldIPaddr = 'zzOLDIPADDR' --Replace with OLD appliance IP address
SET @HostName = 'zzHOSTNAME' --Replace with NEW appliance hostname
SET @IPaddr = 'zzIPADDR' --Replace with NEW appliance IP address

print 'Host:'
update host set Name = @HostName where Name = @OldHostName ;

print 'Entity Name and IP:'
update HostIdentifier set Value = @IPaddr where Value = @OldIPaddr
update HostIdentifier set Value = @HostName where Value = @OldHostName

print 'SMA updates'
print 'SMA SyslogIP, Syslog Relay IP, SMA NetFlowIP, SMA SFlowIP, SMA SNMPlocalIP, SMA HostName, SMA to Mediator ClientAddress IP:'
update SystemMonitor set SyslogServerNIC = @IPaddr where SyslogServerNIC = @OldIPaddr --SyslogServerNIC IP Address
update SystemMonitor set SyslogParsedHosts = @IPaddr where SyslogParsedHosts = @OldIPaddr --Syslog Relay IP Address
update SystemMonitor set NetflowServerNIC = @IPaddr where NetflowServerNIC = @OldIPaddr --NetflowServerNIC IP Address
update SystemMonitor set SFlowServerNIC = @IPaddr where SFlowServerNIC = @OldIPaddr --SFlowServerNIC IP Address
update SystemMonitor set SNMPLocalIP = @IPaddr where SNMPLocalIP = @OldIPaddr --SNMPLocalIP IP AddressSMA SyslogIP
update SystemMonitorToMediator set ClientAddress = @IPaddr where ClientAddress = @OldIPaddr --SMA to Mediator ClientAddress IP
update SystemMonitor set Name = @HostName where Name like @OldHostName --SMA Display Name

print 'SMA Log Source name updates, FilePath Updates:'
update MsgSource set Name = @HostName + ' MS Security Log' where FilePath like @OldHostName + ':Security' --Security Log Source Display Name
update MsgSource set Name = @HostName + ' MS System Log' where FilePath like @OldHostName + ':System' --System Log Source Display Name
update MsgSource set Name = @HostName + ' MS App Log' where FilePath like @OldHostName + ':Application' --Application Log Source Display Name
update MsgSource set FilePath = @HostName + ':Security' where FilePath like @OldHostName + ':Security' --Security Log FilePath
update MsgSource set FilePath = @HostName + ':System' where FilePath like @OldHostName + ':System' --System Log FilePath
update MsgSource set FilePath = @HostName + ':Application' where FilePath like @OldHostName + ':Application' --Application Log FilePath

print 'AIE Updates'
update AIEserver set Config = '<?xml version="1.0"?> <AIEServerConfig xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ServerAddress>' + @IPaddr + '</ServerAddress> </AIEServerConfig>'
update AIEServer set Name = @HostName where Name = @OldHostName --LAIE Name Display Name
update AIEDataProvider set ProviderConfig = '<?xml version="1.0"?> <AIEDataProviderReceiverConfig xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ClientAddress>' + @IPaddr + '</ClientAddress> <ClientMgmtPort>0</ClientMgmtPort> <ClientDataPort>0</ClientDataPort> <ServerAddress>' + @IPaddr + '</ServerAddress> </AIEDataProviderReceiverConfig>'

print 'END'

Step 5: Restart the Dark Spare

Restart the Dark Spare so the changes can take effect.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close