Restoring archived data

You can restore archived data files to review historical data, and run reports or investigations.

Before you begin

Restore archived data from a collector only to the same collector, an aggregator, or a different collector that is dedicated to investigation that is not part of an aggregation cluster. Data that was archived on an aggregator cannot be restored on a collector.

About this task

Archives are written to an SCP or an FTP host, or to another external storage system. Archived files are restored by retrieving them through the archive catalog. The Data and Result catalogs, on each Guardium system, track archived files. A new record is added to the catalog whenever the appliance archives data or results. The catalog tracks where every archive file is sent so that the archive files can be retrieved and restored with minimal effort at any point in the future. To restore archives, you must copy one or more archive files to the Guardium system on which the data is to be restored.

Each day's data is in a separate file. Depending on how your archive and purge operations are configured, you might have multiple copies of archived data for the same day. For example, you schedule archive to run more than once per day; you click Run Once Now a couple of times; or the archive is scheduled to run and you also click Run Once Now.

Unless you are restoring data from the first archive that was created during the month, you need to restore multiple days of data because of the incremental archive strategy. All information that is needed for a restore operation is archived automatically, the first time that data is archived each month. Use one of these two methods to restore data:
  • Restore the first day of the month and all the following days until the target date.
  • Restore the target date and then the first day of the following month.

For example, to restore 28 June, either restore 1 June through 28 June, or restore 28 June and 1 July.

Restoring archive files from older versions into newer version appliance is supported for both collector and aggregator archive files. Restoring archive files into different or newly built appliances is supported. However, the “shared secret” used to archive on the original appliance must be the same as on the target appliance.

Restored audit data can be viewed as the regular audit data by using interactive or audit process reports.