This document describes what data to backup from an instance of CloudShark so that it can be restored to a new instance by performing a system migration.
Taking a Backup
The general procedure is to stop the CloudShark service, backup the database and save the settings and user data to a safe location.
The following steps should be performed to take a backup:
1. Stop CloudShark
Before beginning a backup CloudShark should be stopped by running:
systemctl stop cloudshark-full
2. Backup User Data
The following directories should be backed up entirely to restore from a backup to a new system.
The Settings directory contains configuration files for CloudShark and should be backed up to restore any changes made to the default configuration. This includes the nginx configuration and the TLS certificates used for HTTPS.
The Data directory contains the capture files, custom user profiles, and private RSA keys that have been uploaded to CloudShark.
If you are using external storage and have
created a symlink as
/usr/cloudshark/data, the files inside the data directory
will not be saved using these examples!
To backup the files in the data directory using these examples, replace
/usr/cloudshark/data with the storage directory the symlink points to.
The following examples can be run to create a backup of the settings and data directories.
- Create a compressed
tar.gzfile with the contents of each directory:
tar -czf cloudshark-settings.tar.gz /usr/cloudshark/etc tar --czfcloudshark-data.tar.gz /usr/cloudshark/data
rsyncto copy each directory to a remote system under the
rsync -avP /usr/cloudshark/etc <REMOTE HOST>:/backup/cloudshark-settings/ rsync -avP --delete /usr/cloudshark/data <REMOTE HOST>:/backup/cloudshark-data/
--delete flag is added to the
rsync command while copying the Data
Directory to remove any files from the backup that have been deleted from
CloudShark since the command was last run.
If you are using an external service for the CloudShark database, a snapshot or backup should be taken.
If you are using the local MariaDB database you can export a snapshot of the database by running the following commands:
mysqldump -uroot cloudshark > cloudshark.sql mysqldump -uroot mysql > mysql.sql
.sql files should be saved so that they can be used when
performing a system migration.
Any additional threat assessment rules
that have been added or changes to the configuration files under
should be saved.
Custom Zeek Scripts
Any changes to the default Zeek configuration or additional scripts stored under
/usr/cloudshark/share/zeek should be saved.
3. Start CloudShark
After completing a backup CloudShark can be started by running:
systemctl start cloudshark-full
Restoring from a backup
A system-migration can be performed using this data to restore from a backup to a new system running the same version of CloudShark.