Splunk® User Behavior Analytics

Administer Splunk User Behavior Analytics

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Restore Splunk UBA from a full backup

This example shows how to restore from a full backup, using the base directory 1000123 without any accompanying incremental directories.

Do not use this procedure to restore Splunk UBA using a backup file that was created by running the uba-backup.sh script. Only use the full backup file generated by the automated incremental backup.

  1. Prepare the server for the restore operation. If there is any existing data, run:
    /opt/caspida/bin/CaspidaCleanup
  2. Stop all services:
    /opt/caspida/bin/Caspida stop-all
  3. Restore Postgres.
    1. On the Postgres node (node 2 in 20-node deployments, node 1 in all other deployments), clean any existing data. On RHEL, OEL, or CentOS systems, run the following command:
      sudo rm -rf /var/lib/pgsql/10/main/*

      On Ubuntu systems, run the following command:

      sudo rm -rf /var/lib/postgresql/10/main/*
    2. Copy all content under <base directory>/postgres/base to the Postgres node. For example, if you are copying from different server, use the following command on RHEL, OEL, or CentOS systems:
      sudo scp -r caspida@ubap1:<BACKUP_HOME>/1000123/postgres/base/* /var/lib/pgsql/10/main

      On Ubuntu systems, run the following command:

      sudo scp -r caspida@ubap1:<BACKUP_HOME>/1000123/postgres/base/* /var/lib/postgresql/10/main
    3. Edit the /var/lib/pgsql/10/main/recovery.conf (on RHEL, OEL, or CentOS systems) or /var/lib/postgresql/10/main/recovery.conf (on Ubuntu systems) file, clear all content, and add the following property:
      restore_command = ''
    4. Change ownership of the backup files. On RHEL, OEL, or CentOS systems, run the following command:
      sudo chown -R postgres:postgres /var/lib/pgsql/10/main

      On Ubuntu systems, run the following command:

      sudo chown -R postgres:postgres /var/lib/postgresql/10/main
    5. Start the Postgres service by running the following command on the management node:
      /opt/caspida/bin/Caspida start-postgres
      Monitor the Postgres logs in /var/log/postgresql, which show the recovering process.
    6. Verify that Postgres is restored. Check in the /var/lib/pgsql/10/main (on RHEL, OEL, or CentOS systems) or /var/lib/postgresql/10/main (on Ubuntu systems) directory and verify that the recovery.conf file is renamed to recovery.done.
    7. Once the recovery completes, query Postgres to see if the data is recovered. For example, run the following command from the Postgres CLI:
      psql -d caspidadb -c 'SELECT * FROM dbinfo'
  4. Restore Redis. Redis backups are full backups, even for incremental Splunk UBA backups. You can restore Redis from any backup directory, such as the most recent incremental backup directory. In our example, we can backup Redis from the 0000126 incremental backup directory. The Redis backup file ends with the node number. Be sure to restore the backup file on the correct corresponding node. For example, in a 5-node cluster, the Redis file must be restored on nodes 4 and 5. Assuming the backup files are on node 1, run the following command on node 4 to restore Redis:
    sudo scp caspida@node1:<BACKUP_HOME>/0000126/redis/redis-server.rdb.4 /var/vcap/store/redis/redis-server.rdb
    

    Similarly, run the following command on node 5:

    sudo scp caspida@node1:<BACKUP_HOME>/0000126/redis/redis-server.rdb.5 /var/vcap/store/redis/redis-server.rdb
    
    View your /etc/caspida/local/conf/caspida-deployment.conf file to see where Redis is running on in your deployment.
  5. Restore InfluxDB. Similar to Redis, InfluxDB backups are full backups. You can restore InfluxDB from the most recent backup directory. In this example, InfluxDB is restored from the 0000126 incremental backup directory. On the management node, which hosts InfluxDB, start InfluxDB, clean it up, and restore from backup files:
    sudo service influxdb start
    influx -execute "DROP DATABASE caspida"
    influx -execute "DROP DATABASE ubaMonitor"
    influxd restore -portable <BACKUP_HOME>/0000126/influx
    
  6. Restore HDFS. To restore HDFS, we need to first restore base, and incremental data in continues sequence. In our example, we first restore from 1000123, then 0000124, 0000125 and 0000126.
    1. Start the necessary services. On the management node, run the following command:
      /opt/caspida/bin/Caspida start-all --no-caspida
    2. Restore HDFS from the base backup directory:
      nohup hadoop fs -copyFromLocal <BACKUP_HOME>/1000123/hdfs/caspida /user &

      Restoring HDFS can take a long time. Check the process ID to see if the restore is completed. For example if the PID is 111222, check by using the following command:

      ps 111222
    3. Change owner in HDFS:
      sudo -u hdfs hdfs dfs -chown -R impala:caspida /user/caspida/analytics
      sudo -u hdfs hdfs dfs -chown -R mapred:hadoop /user/history
      sudo -u hdfs hdfs dfs -chown -R impala:impala /user/hive
      sudo -u hdfs hdfs dfs -chown -R yarn:yarn /user/yarn
      
    4. If the server you are restoring to is different from the one where the backup was taken, run the following commands to update the metadata:
      sudo hive --service metatool -updateLocation hdfs://<RESTORE_HOST>:8020 hdfs://<BACKUP_HOST>:8020
      impala-shell -q "INVALIDATE METADATA"
      
      Note the host is node1 in deployment file.
  7. Restore your rules and customized configurations from the latest backup directory:
    1. Restore the configurations:
      sudo cp -pr <BACKUP_HOME>/0000126/conf/* /etc/caspida/local/conf/
    2. Restore the rules:
      sudo rm -Rf /opt/caspida/conf/rules/*
      sudo cp -prf <BACKUP_HOME>/0000126/rule/* /opt/caspida/conf/rules/
      
  8. Start the server:
    /opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf
    /opt/caspida/bin/CaspidaCleanup container-grouping
    /opt/caspida/bin/Caspida start
    
    Check the Splunk UBA web UI to make sure the server is operational.
  9. If the server for backup and restore are different, perform the following tasks:
    1. Update the data source metadata:
      curl -X PUT -Ssk -v -H "Authorization: Bearer $(grep '^\s*jobmanager.restServer.auth.user.token=' /opt/caspida/conf/uba-default.properties | cut -d'=' -f2)" https://localhost:9002/datasources/moveDS?name=<DS_NAME>
      
      Replace <DS_NAME> with the data source name displayed in Splunk UBA.
    2. Trigger a one-time sync with Splunk ES: If your Splunk ES host did not change, run the following command:
      curl -X POST 'https://localhost:9002/jobs/trigger?name=EntityScoreUpdateExecutor' -H "Authorization: Bearer $(grep '^\s*jobmanager.restServer.auth.user.token=' /opt/caspida/conf/uba-default.properties | cut -d'=' -f2)" -H 'Content-Type: application/json' -d '{"schedule": false}' -k
      
      If you are pointing to a different Splunk ES host, edit the host in Splunk UBA to automatically trigger a one-time sync.
Last modified on 01 September, 2021
PREVIOUS
Backup and restore Splunk UBA using automated incremental backups
  NEXT
Restore Splunk UBA from incremental backups

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters