Symantec™ Security
Information Manager - Best
Practices for Selective
Symantec™ Security Information Manager - Best
practices for selective backup and restore
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Documentation version: PN:
Legal Notice
Copyright © 2011 Symantec Corporation. All rights reserved.
Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Symantec Corporation 350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com
Technical Support
Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.
Symantec’s support offerings include the following:
■ A range of support options that give you the flexibility to select the right amount of service for any size organization
■ Telephone and/or Web-based support that provides rapid response and up-to-the-minute information
■ Upgrade assurance that delivers software upgrades
■ Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis
■ Premium service offerings that include Account Management Services For information about Symantec’s support offerings, you can visit our Web site at the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.
Contacting Technical Support
Customers with a current support agreement may access Technical Support information at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem.
When you contact Technical Support, please have the following information available:
■ Hardware information
■ Available memory, disk space, and NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our technical support Web page at the following URL:
www.symantec.com/business/support/
Customer service
Customer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates, such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade assurance and support contracts
■ Information about the Symantec Buying Programs
■ Advice about Symantec's technical support options
■ Nontechnical presales questions
Support agreement resources
If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows:
Asia-Pacific and Japan
Europe, Middle-East, and Africa
Best practices for selective
backup and restore
This document includes the following topics:
■ About this guide
■ About selective backup and restore
■ Best practices for selective backup and restore
About this guide
This guide presents the best practices that can be applied during selective backup and restore of items in Symantec Security Information Manager. Selective backup and restore is a feature that is introduced with the Information Manager 4.7.3.
About selective backup and restore
Symantec Security Information Manager facilitates selective backup and restore of items such as event summary, incident, asset, rule, and report data. You can perform a selective backup of specific items in Information Manager. During restoration you can select a specific backup file and select items within the backup file for restoration. When you perform a selective backup, you can select multiple items for immediate or scheduled backup. The directory administrator (cn=root) logon credentials for LDAP must be provided for selective backup and restore. During restoration you can select a specific backed up file and select items within the backed up file for restoration. additionally you can restore selected items from the specified backup file.
■ Incidents data (includes incidents, alerts, and tickets data) ■ Assets data ■ Services ■ Networks ■ Policies ■ Locations ■ Operating systems
■ Product configurations (includes collector, agent sensor, appliance, agent, and help desk configurations data)
■ Published reports
■ Published queries
■ Rules (includes User rules and System rules)
■ Event filters (includes User filters and System filters)
■ Monitors (includes User monitors and System monitors)
■ Lookup tables (includes User lookup tables and System lookup tables)
■ Paging services
■ Users
■ User groups
■ Roles
■ Appliance configurations (includes event storage rules, incident forwarding rules, and correlation forwarding rules)
■ Managed reports
Best practices for selective backup and restore
The following guidelines can help you to implement backup and restore functions effectively:
■ Periodically perform a complete LDAP and a complete database backup to avoid any data loss during restoration of backup files.
■ When you re-image a server, the settings available on the earlier server can be retrieved by using the backup files. For restoration be sure to provide the same domain name, host IP, and host name of the server from where the backup was taken.
If there is a discrepancy in the domain name, host IP address, and host name details that you provide, the restoration fails. After the restoration, you must manually update the host entries on the newly set server.
■ After taking a backup of the Active Directory users, if Active Directory users are added or deleted, be sure to disable the Scheduled Synchronization option before restoring the Active Directory users. This option can be disabled by editing the already created Active Directory configuration. After the restoration, synchronize all the restored Active Directory users with the
Add/Remove Users list in the Active Directory configuration. When this
synchronization is completed, the Scheduled Synchronization option can be enabled again.
■ Perform the LDAP restore operation immediately after the Information Manager server is newly setup. Otherwise, when the LDAP backup files are restored on the newly set server, the following issue occurs:
■ The links of the events that are associated with the incidents that are generated before the LDAP restoration are broken.
■ If you used an NFS-mounted directory for backup, during selective restore or purge you must ensure that the NFS server is running. If the NFS server is not running, then you must ensure that the Information Manager server does not use an NFS mounted directory from that NFS server.
■ If you specify a custom path for backup file storage, then you must ensure that the db2admin user is given full permission and the SES user is given read and execute permission.
■ A backup is triggered immediately if the user updates the schedule with the date and time that are earlier than the current date and time.
■ My Queries, My Reports, and other user-specific filters such as incidents, alerts, and tickets are stored as user information. If you have edited the user information after a backup, those changes get deleted when you restore the backup file. The user information in the backup file replaces all the existing information.
■ When you restore backup files of published queries with empty folders, the empty folders are not restored. However, you can restore the empty folders for My Queries and Reports.
■ When you restore the rules of a server, you must restart the rule, correlation, and event service on all the servers in a network.
■ Backup assets, policies, services, operating systems, and locations together as a single unit. You must also restore these items in a similar method.
■ Before you back up the items, ensure that there is enough space on the specified directory and on /dbsesa.
Backup and restore scenarios
Symantec recommends that you understand these typical scenarios for backup and restore and also their corresponding results. In these scenarios, backup and restore functions can be executed without any loss of data.
For example, you take a backup of either assets or assets and policies, and you perform a restore of assets only. Information Manager restores all of the assets and policies that are mapped to these assets. Information Manager does not restore newly created policies or assets, or the policies that are not mapped to the assets at the time of backup.
Table 1-1depicts different backup and restore scenarios for various items in Information Manager.
Table 1-1 Backup and restore scenarios
Result Restore
Backup
The assets and policies are restored to the state when the backup was taken. Assets and policies
Assets and policies
All the assets and policies that are mapped to these assets are restored. The following items are not restored:
■ The policies and the assets that are created after the backup is taken. ■ The policies that are not
mapped to the assets at backup.
Assets Assets and policies
Table 1-1 Backup and restore scenarios (continued) Result Restore
Backup
All the policies at the time of backup are restored. The following items are retained during a restore:
■ The policies that are created after the backup. ■ The existing mapping
between assets and policies.
In addition, the assets are retained to their state when the backup was taken. Policies
Assets and policies Only policies
The assets and services are restored to the state when the backup was taken. Assets and services
Assets and services
All the assets and the services that are mapped to these assets are restored. The following items are not restored:
■ The services and the assets that are created after the backup is taken. ■ The services that are not mapped to the assets at the time of backup. Assets
Assets and services Only assets
All the services at the time of backup are restored. The following items are retained: ■ Services that are created
after the backup are retained.
■ The existing mapping between assets and services.
In addition, the existing state of assets is retained. Services
Asset and services Only services
Table 1-1 Backup and restore scenarios (continued) Result Restore
Backup
The assets and operating systems are restored to their state when the backup was taken.
Assets and operating systems Assets and operating systems
All the assets and the operating systems that are mapped to these assets are restored. The operating systems that are not mapped to the assets at the time of backup are not restored. The assets are retained to the state when the backup was taken.
Assets Assets and operating systems Only assets
All the operating systems at the time of backup are restored. The existing mapping between assets and operating systems are retained during restoration. The assets are retained to the state when the backup was taken.
Operating systems Assets and operating systems
Only operating systems
The assets and locations are restored to the state when the backup was taken. Assets and locations
Table 1-1 Backup and restore scenarios (continued) Result Restore
Backup
All the assets and the locations that are mapped to these assets are restored. The following items are not restored:
■ The locations that are created after the backup is taken.
■ The locations that are not mapped to the assets at the time of backup. The assets are retained to the state when the backup was taken.
Assets Assets and locations
Only assets
All the locations at the time of backup are restored. The locations that are created after the backup are retained. The existing mapping between assets and locations are retained during restoration. The assets are retained to the state when the backup was taken. Locations
Assets and locations Only locations
All the assets and the corresponding policies, services, operating systems, and locations that are mapped to these assets are restored. Any other data that is associated with assets is not restored.
Assets Assets
All the roles and the users at the time of backup are restored. The roles and the users that are created after the backup is taken are retained.
Roles and users Roles and users
Table 1-1 Backup and restore scenarios (continued) Result Restore
Backup
All the roles and the users that are associated with the roles at the time of backup are restored. The roles and the users that are created after the backup is taken are retained.
Roles Roles and users
Only roles
All the users at the time of backup are restored. The roles of the users are retained to their state when the backup was taken. The users that are created after the backup is taken are retained.
Users Roles and users
Only users
All the groups and users at the time of backup are restored. The groups and the users that are created after the backup is taken are retained.
Groups and users Groups and users
All the groups and the users that are associated with the groups at the time of backup are restored. The groups and the users that are created after the backup is taken are retained.
Groups Groups and users
Groups
All the users at the time of backup are restored. Existing groups of the users are retained. The users that are created after the backup is taken are retained. Users
Groups and users Users
All the published queries and reports are restored. Association of queries and reports are retained to the state during backup. Published queries and
published reports Published queries and
Table 1-1 Backup and restore scenarios (continued) Result Restore
Backup
All the published queries are restored.
Published queries Published queries and
published reports
All the published reports are restored. Since queries are not restored, the query not found error is shown if the query was not present already.
Published reports Published queries and
published reports
All the published reports are restored. Since a backup was taken only for published reports, during restoration only the reports are restored. A query not found error is displayed whenever a report is opened that does not contain a query. Published reports
Published reports
