Backup
CloudShark Enterprise 4.0.0 and later is distributed as an OVA virtual machine image. These legacy instructions should only be followed after contacting support@qacafe.com for assistance.
If you already have CloudShark Enterprise installed on a virtual machine, please follow the OVA Migration instructions to upgrade.
CloudShark runs on top of a RHEL-based Linux installation which meets our system requirements. The system can be bare metal hardware, a virtual machine, or on your public or private cloud infrastructure.
This document describes what data to backup from an instance of CloudShark so that it can be restored to a new instance by performing a system migration.
Taking a Backup
The general procedure is to stop the CloudShark service, backup the database and save the settings and user data to a safe location.
The following steps should be performed to take a backup:
1. Stop CloudShark
Before beginning a backup CloudShark should be stopped by running:
systemctl stop cloudshark-full
2. Backup User Data
Directories
The following directories should be backed up entirely to restore from a backup to a new system.
- Settings:
/usr/cloudshark/etc
The Settings directory contains configuration files for CloudShark and should be backed up to restore any changes made to the default configuration. This includes the nginx configuration and the TLS certificates used for HTTPS.
- Data:
/usr/cloudshark/data
The Data directory contains the capture files, custom user profiles, and private RSA keys that have been uploaded to CloudShark.
Examples
If you are using external storage and have
created a symlink as /usr/cloudshark/data, the files inside the data directory
will not be saved using these examples!
To backup the files in the data directory using these examples, replace
/usr/cloudshark/data with the storage directory the symlink points to.
The following examples can be run to create a backup of the settings and data directories.
- Create a compressed
tar.gzfile with the contents of each directory:
tar -czf cloudshark-settings.tar.gz /usr/cloudshark/etc
tar --czfcloudshark-data.tar.gz /usr/cloudshark/data
- Use
rsyncto copy each directory to a remote system under the/backupdirectory:
rsync -avP /usr/cloudshark/etc <REMOTE HOST>:/backup/cloudshark-settings/
rsync -avP --delete /usr/cloudshark/data <REMOTE HOST>:/backup/cloudshark-data/
The --delete flag is added to the rsync command while copying the Data
Directory to remove any files from the backup that have been deleted from
CloudShark since the command was last run.
Database
If you are using an external service for the CloudShark database, a snapshot or backup should be taken.
If you are using the local MariaDB database you can export a snapshot of the database by running the following commands:
mysqldump -uroot cloudshark > cloudshark.sql
mysqldump -uroot mysql > mysql.sql
The resulting .sql files should be saved so that they can be used when
performing a system migration.
Threat Assessment
Any additional threat assessment rules
that have been added or changes to the configuration files under /etc/suricata
should be saved.
Custom Zeek Scripts
Any changes to the default Zeek configuration or additional scripts stored under
/usr/cloudshark/share/zeek should be saved.
3. Start CloudShark
After completing a backup CloudShark can be started by running:
systemctl start cloudshark-full
Restoring from a backup
A system-migration can be performed using this data to restore from a backup to a new system running the same version of CloudShark.
