Search Results


This document describes what data to backup from an instance of CloudShark so that it can be restored to a new instance by performing a system migration.

Taking a Backup

The general procedure is to stop the CloudShark service, backup the database and save the settings and user data to a safe location.

The following steps should be performed to take a backup:

1. Stop CloudShark

Before beginning a backup CloudShark should be stopped by running:

systemctl stop cloudshark-full

2. Backup User Data


The following directories should be backed up entirely to restore from a backup to a new system.

  • Settings: /usr/cloudshark/etc

The Settings directory contains configuration files for CloudShark and should be backed up to restore any changes made to the default configuration. This includes the nginx configuration and the TLS certificates used for HTTPS.

  • Data: /usr/cloudshark/data

The Data directory contains the capture files, custom user profiles, and private RSA keys that have been uploaded to CloudShark.


If you are using external storage and have created a symlink as /usr/cloudshark/data, the files inside the data directory will not be saved using these examples!

To backup the files in the data directory using these examples, replace /usr/cloudshark/data with the storage directory the symlink points to.

The following examples can be run to create a backup of the settings and data directories.

  • Create a compressed tar.gz file with the contents of each directory:
tar -czf cloudshark-settings.tar.gz /usr/cloudshark/etc
tar --czfcloudshark-data.tar.gz /usr/cloudshark/data
  • Use rsync to copy each directory to a remote system under the /backup directory:
rsync -avP /usr/cloudshark/etc <REMOTE HOST>:/backup/cloudshark-settings/
rsync -avP --delete /usr/cloudshark/data <REMOTE HOST>:/backup/cloudshark-data/

The --delete flag is added to the rsync command while copying the Data Directory to remove any files from the backup that have been deleted from CloudShark since the command was last run.


If you are using an external service for the CloudShark database, a snapshot or backup should be taken.

If you are using the local MariaDB database you can export a snapshot of the database by running the following commands:

mysqldump -uroot cloudshark > cloudshark.sql
mysqldump -uroot mysql > mysql.sql

The resulting .sql files should be saved so that they can be used when performing a system migration.

Threat Assessment

Any additional threat assessment rules that have been added or changes to the configuration files under /etc/suricata should be saved.

Custom Zeek Scripts

Any changes to the default Zeek configuration or additional scripts stored under /usr/cloudshark/share/zeek should be saved.

3. Start CloudShark

After completing a backup CloudShark can be started by running:

systemctl start cloudshark-full

Restoring from a backup

A system-migration can be performed using this data to restore from a backup to a new system running the same version of CloudShark.