Configure data archive
Data Archive backs up the audit data that Guardium captured, for a specified date, to another location. Typically, data is archived for the previous day, which ensures that if there is a catastrophe, only the data of that day is lost. This practice also saves disk space and boosts appliance performance. Configure and schedule the archive mechanism during the implementation stage to run nightly: to archive the last day’s data.
About this task
Data Archive files can be used for data restoration for forensic purposes when data for a limited number of days needs to be restored. Restoring archive data does not override the existing data: you can restore data on an appliance that already has data, but you can't restore data on the same unit if data for that day still exists.
In an aggregated environment, data can be archived from the collector, from the aggregator, or from both locations. Most commonly, the data is archived only once, and the location from where it is archived varies depending on your requirements.
The audit data is stored in a normalized way in an internal database of an appliance. The audit data that changes constantly is referred as dynamic data, and the audit data that stays relatively constant is referred as static data. For example, profile data is static and audit data is dynamic.
To save space on storage
servers, Guardium uses an incremental archive strategy. The dynamic audit data is archived when it
is observed. Static audit data is archived only when the data is observed for the first time. This
incremental approach reduces the size of archive files dramatically. The tradeoff is that a single
archive file might not contain all of the audit data that is needed to be restored back to the
appliance. To compensate for this tradeoff, the archive process generates a full (not incremental)
archive file the first time the archive process runs, and then again the first day of every month.
If you want to have a full archive for the next archive run, use this CLI command: store
archive_static_table=on. After that run, the parameter switches back to be
off
. To check if the static data will be archived in the next run, run the CLI
command: show archive_static_table.
The data archive is usually set to archive data older than one day and ignore data older than two days. In this scenario, each run archives only the data from the previous day.
Guardium’s archive function creates signed, encrypted files that cannot be tampered with. DO NOT change the names of the generated archive files. The archive and restore operations depend on the file names that are created during the archiving process.
Archive uses the system shared secret to create encrypted data files. Before information encrypted on one system can be restored on another, the target restore system must have the shared secret that was used on the archiving system when the file was created. Data can be restored on the same unit type it was archived from: collector data on a collector, aggregator data on an aggregator.
- <day of data>-<Guardium system name>-w<time of zip>-d<execution date>.dbdump.enc
- <day of data>-<Guardium system name>-w<time of zip>-d<execution date>.agg.<sql ver>tar.gc.enc
Procedure
- Go to .
- To archive, check the Archive checkbox. More fields display in the Configuration page.
- For Archive data older than, enter a value and select a unit of time from the menu. For example, to archive data from yesterday, enter the value 1, and select Day(s) from the menu.
- In Ignore data older than enter the time interval to archive. For example, to archive one day's data, enter 2. Any value that is specified here must be greater than the Archive data older than value. If you leave this field blank, you archive data for all days older than the value specified in Archive data older than. If you archive daily and purge data older than 30 days, you archive each day of data 30 times (before it is purged on the 31st day).
- Check the Archive Values checkbox to include values from SQL strings in the archived data. If this box is cleared, values are replaced with question mark characters on the archive (and hence the values are not available following a restore operation).
- Select a Protocols option, and enter the appropriate information. Depending on how your Guardium system is configured, one or more of these buttons might not be available. For a description of how to configure the archive and backup storage methods, see Configuring external storage or File Handling CLI Commands.
- Optional: Use the Scheduling section to define a schedule for running this operation regularly.
- Click Test connection The system attempts to verify the configuration by sending a test data file to that location. If the operation fails, an error message displays and the configuration is not saved.
- Click Save to save the configuration changes. The system attempts to verify the configuration by sending a test data file to that location. If the operation fails, an error message is displayed and the configuration is not saved.
- Optional: Click Run Once Now to run the operation now.
What to do next
- Verify that the operation completed successfully. Go to . Each archive operation shows multiple activities. Check that the status of each activity is Succeeded.
- AWS archives only. Check that the files were uploaded:
- Log in to the AWS Management Console: http://aws.amazon.com/console/ with your email address and password.
- Click S3.
- Click the bucket that you specified in Guardium UI. Verify that the files are there.
- EMC Centera archives only. Check that the files were uploaded to the EMC Centera. You need the name of the files and a ClipID.