Backup and Recovery

Configuration backup, disaster recovery procedures, and capacity planning.

This section covers configuration backup using the built-in backup script. For Energy Logserver data snapshot backup and disaster recovery procedures, see Backup and Disaster Recovery.

Configuration Backup

Backing up

The backup bash script is located on the hosts with Data Node in the location: /usr/share/logserver/utils/configuration-backup.sh.

The script backs up the following data:

  • System indices (via elasticdump): .alertrules, .authconfig, .authuser, .agentsconfig, .elastfilter, .intelligence_rule_configuration, .intelligence_models, .kibana, .kibana_*, .reports, .playbooks, .risks, .riskcategories, .security, .sources, .taskmanagement, .tasks, .archive_task, .archive, .sync_profile, .sync_task, .indexmanagement, .networkprobes, .e-doc

  • Cluster settings (via _cluster/settings API)

  • Index templates (via elasticdump)

  • Component configurations:

    • /etc/logserver/ — Data Node configuration and license files

    • /etc/logserver-probe/ — Network Probe configuration

    • /etc/logserver-gui/ — GUI configuration

    • /var/ossec/etc/ — SIEM (Wazuh) configuration

    • /usr/share/kibana/data/wazuh/config/ — Wazuh GUI configuration

    • /opt/alert/ — Alert configuration

    • /opt/cerebro/ — Cerebro configuration and keystore

    • /opt/skimmer/ — Skimmer configuration

    • /opt/intelligence/ — Intelligence engine configuration

    • /opt/license-service/ — License Service configuration

    • /opt/e-doc/ — E-Doc configuration and database

    • /opt/wiki/ — Wiki configuration and database

    • /etc/logserver-store/ — Logserver keystore

The script uses /tmp/backup/ as intermediate storage, then packages everything into a tar.gz archive named backup-<hostname>-<datetime>.tar.gz in the target directory (default: /root/). The intermediate files are deleted after packaging.

Note

The script requires the elasticdump binary (installed with Logserver GUI at /usr/share/logserver-gui/elasticdump/elasticdump). In split deployments where Data Node and GUI run on separate hosts, ensure elasticdump is available on the Data Node host.

Warning

The script reads credentials from /etc/logserver/logserver.yml and /etc/logserver-gui/logserver-gui.yml. If you have changed the default password or protocol, either update these config files or edit the script to set credentials manually (see the read_config section in the script).

Scheduled backup

The RPM package installs a cron job automatically at /etc/cron.d/configuration-backup that runs the backup daily at 01:00:

0 1 * * * root /usr/share/logserver/utils/configuration-backup.sh

To change the backup destination, edit the backupPath variable at the top of the script.

Restoration from backup

To restore from a backup archive:

  1. Extract the backup archive:

    tar -xzf backup-<hostname>-<datetime>.tar.gz -C /tmp/restore

  2. Restore system indices using elasticdump:

    /usr/share/logserver-gui/elasticdump/elasticdump \
  --input=/tmp/restore/<index_name>.json \
  --output=http://localhost:9200/<index_name> \
  --type=data

  3. Restore index templates:

    /usr/share/logserver-gui/elasticdump/elasticdump \
  --input=/tmp/restore/templates.json \
  --output=http://localhost:9200 \
  --type=template

  4. Restore component configurations by extracting the respective tar.gz sub-archives to their original paths (e.g., /etc/logserver/, /etc/logserver-gui/, /opt/alert/).

  5. Restart all affected services after restoring configuration files.