Configuring the data archive

Data Archive backs up the audit data that Guardium captured, for a specified date, to another location. Typically, data is archived for the previous day, which makes sure that if there is a catastrophe, only the data of that day is lost. This practice also saves disk space and boosts appliance performance. Configure and schedule the archive mechanism during the implementation stage to run nightly: to archive the last day’s data.

About this task

Archive and purge are enabled independently of each other, and the ages at which data is archived and purged are configured independently.

Data Archive files can be used for data restoration for forensic purposes when data for a limited number of days needs to be restored. Restoring archived data does not override the existing data. You can restore data on an appliance that already has data, but you can't restore data on the same unit if data for that day still exists.

In an aggregated environment, data can be archived from the collector, from the aggregator, or from both locations. Most commonly, the data is archived only once, and the location from where it is archived varies depending on your requirements.

The audit data is stored in a normalized way in an internal database of an appliance. The audit data that changes constantly is referred as dynamic data, and the audit data that stays relatively constant is referred as static data. For example, profile data is static and audit data is dynamic.

To save space on storage servers, Guardium uses an incremental archive strategy. The dynamic audit data is archived when it is observed. Static audit data is archived only when the data is observed for the first time. This incremental approach considerably reduces the size of archive files. The tradeoff is that a single archive file might not contain all audit data that needs to be restored back to the appliance. To compensate for this tradeoff, the archive process generates a full (not incremental) archive file the first time the archive process runs, and then again the first day of every month. If you want to have a full archive for the next archive run, use this CLI command: store archive_static_table=on. After that run, the parameter switches back to be off. To check whether the static data is archived in the next run, run the CLI command: show archive_static_table.

The data archive is set to archive data older than one day and ignore data older than two days. In this scenario, each run archives only the data from the previous day.

Guardium’s archive function creates signed, encrypted files that cannot be tampered with. Do not change the names of the generated archive files. The archive and restore operations depend on the file names that are created during the archiving process.

Archive uses the system shared secret to create encrypted data files. Before information encrypted on one system can be restored on another, the target restore system must have the shared secret that is used by the archiving system during file creation. . Data can be restored on the same unit type it was archived from: collector data on a collector, aggregator data on an aggregator.

The format of the archive data file name is one of:
  • <day of data>-<Guardium system name>-w<time of zip>-d<execution date>.dbdump.enc
  • <day of data>-<Guardium system name>-w<time of zip>-d<execution date>.agg.<sql ver>tar.gz.enc
Note: The archive and restore operations depend on the file names that are generated during the archiving process. DO NOT change the names of archived files.

Procedure

  1. Go to Manage > Data Management > Data Archive.
  2. To archive, check the Archive checkbox. More fields display in the Configuration page.
  3. For Archive data older than, enter a value and select a unit of time from the menu.
    To archive data from yesterday, enter the value 1, and select Day(s) from the menu.
  4. In Ignore data older than enter the time interval to archive.
    To archive one day's data, enter 2.
    Tip: Any value that is specified in this field must be greater than the value specified in Archive data older than field. If you leave this field blank, you archive data for all days older than the value specified in Archive data older than field. If you archive daily and purge data older than 30 days, you archive each day of data 30 times (before it is purged on the 31st day).
  5. Select the Archive Values checkbox to include values from SQL strings in the archived data. If this box is cleared, values are replaced with question mark characters on the archive (and hence the values are not available following a restore operation).
  6. Select a protocol and configure the data archive for the storage system. Depending on how your Guardium system is configured, one or more of these options might not be available. For a description of how to configure the archive and backup storage methods, see Configuring external storage or File Handling CLI Commands.
  7. Optional: Use the Scheduling section to define a schedule for running this operation regularly.
  8. Click Test connection The system attempts to verify the configuration by sending a test data file to that location. If the operation fails, an error message displays and the configuration is not saved.
  9. Click Save to save the configuration changes. The system attempts to verify the configuration by sending a test data file to that location. If the operation fails, an error message is displayed and the configuration is not saved.
  10. Optional: Click Run Once Now to run the operation now.

What to do next

  • Verify whether the operation was successfully completed. Click Manage > Reports > Data Management > Aggregation/Archive Log. Each archive operation shows multiple activities. Check that the status of each activity is Succeeded.
  • AWS archives only. Check that the files were uploaded:
    1. Log in to the AWS Management Console http://aws.amazon.com/console/ with your email address and password.
    2. Click S3.
    3. Click the bucket that you specified in the Guardium UI. Verify that the files are there.
  • EMC Centera archives only. Check that the files were uploaded to the EMC Centera. You need the name of the files and a ClipID.