Using the Snapshot Backup/Restore Tab

You must have Root scope to use this feature.

The System | Data Management | Snapshot Backup/Restore tab lets you manage snapshot-based backups of data and configuration. You can create snapshot-based backups and restore from them in this tab.

Keep in mind that restores are for data that is in the hot tier, as specified by your Retention Group settings, and are typically performed in disaster recovery scenarios.

The Snapshot Backup/Restore tab was named Backup/Restore prior to the 4.3.1 release.

Snapshots or Data Sinks?

Stellar Cyber can perform restores from either snapshots or a data sink, depending on how you have configured the system. This topic describes how to restore data from snapshots stored in a Backup/Restore backup configured in the System | Data Management | Snapshot Storage Configuration tab.

Starting with Version 4.3.1, you can also restore data from a data sink using the tools in the Data Sink Restore tab. Data will only be available for restore here if you have configured and enabled a Data Sink in the System | Data Sinks tab. Data Sink restores take longer than Snapshot imports, but they have the advantage of providing more fine-grained filters specifying exactly what data you want to restore.

Types of Snapshot Backups

You can have a data backup and a configuration backup, or a single combined data/configuration backup. If you have separate data and configuration backups, you can configure a different frequency for each.

Stellar Cyber keeps 2 data backups and up to 30 configuration backups. Use the following guidelines to allocate sufficient storage for your backups:

  • data backup—the size of the data backup depends on your rate of ingestion. A useful formula is: (number of backups) x (ingestion/day) = disk space required. To keep 2 backups if you're ingesting 200 GB/day, you need 400 GB of disk space ((2 backups) x (200 GB/day) = 400 GB).

  • configuration backup—configuration backups are small, so one GB per backup for a total of 30 GB should be plenty.

    In the event of an emergency, Stellar Cyber also maintains automatic daily configuration backups for the last four days on the local DL-Master. Refer to Automatic Local Configuration Backups for details.

Scheduling a Snapshot Backup

You can schedule data and configuration backups. To schedule a snapshot backup:

  1. Configure an external storage location for the backup in the Snapshot Storage Configuration tab.
  2. Click System | Data Management | Snapshot Backup/Restore. The existing backups are displayed.
  3. Click  Backup. The Add Backup Configuration screen appears.
  4. Enter a Name. You cannot change the name after you submit.
  5. Choose the location in the Storage field.
  6. Choose whether to back up the data, the configuration, or both.
  7. Choose the Copies for Configuration Backup and Copies for Data Backup. The number of copies you keep affects the amount of storage you need.
  8. Choose how often to run the backup in the Frequency field. If you choose Daily the Scheduled Time fields appear. If you choose Weekly the Select Which Day and Scheduled Time fields appear.

    Schedule a Daily data backup if you have a cluster without a data replica. If you do have a data replica but want additional disaster recovery, schedule a Daily or Weekly data backup.

    The Projected Disk Usage displays the amount of storage space required based on your licensed ingestion rate, the number of copies you want to keep, and the frequency of the backups.

  9. Choose the day, time, and timezone for the backup.
  10. Click Submit.

Your backup is immediately scheduled.

The performance of the Data Lake is reduced by up to 30% while the backup is in progress. Always schedule your backups during periods of low traffic.

Your first backup backs up the entire database. Subsequent backups only save the changes from the first backup, so are much faster. Schedule your first backup during a period with the lowest possible traffic.

If a backup partially fails, you cannot restore from it. However, subsequent backups leverage the successful index backups and retry the failed ones.

Restoring from a Snapshot Backup

To restore your system from a saved snapshot backup:

  1. Click System | Data Management | Snapshot Backup/Restore. The existing snapshot backups are displayed.
  2. Click Restore. The Add Restore Configuration screen appears.
  3. Choose the storage location in the Storage field. This is a location with a backup. Stellar Cyber includes all configured snapshot backup locations in the dropdown.
  4. Choose the file name of the configuration backup, data backup, or both. Stellar Cyber includes all available files at the location you chose.

    Stellar Cyber can only restore configurations for the currently running version, so only those files are displayed.

  5. Select Clear Database to clear the existing event data before restoring. Do this if you have problems with the data, such as corruptions or duplicates, and are restoring to a backup DP. You can also clear the event data from the Advanced tab.
  6. Enter the Stellar Cyber license to enable a configuration restore. The configuration file is password protected. Entering the license ensures that you are restoring the configuration to the appropriate system.
  7. Click Submit. The restore starts immediately, and can take several minutes.

No data is ingested until the restore is complete. We strongly recommend that you restore during a maintenance window.

When you restore, the Stellar Cyber user interface restarts. Ensure that no other admins are using Stellar Cyber before you submit.

Optional minimal_backup Mode

You can use the DP CLI to enable a special minimal_backup mode to conserve on disk space in special situations.

In order to preserve your data, Stellar Cyber does not recommend the usage of minimal_backup mode unless Customer Success advises it. When in doubt, ask Customer Success for the best strategy for your situation and follow the best practices for data durability described here.

When minimal_backup mode is enabled:

  • Stellar Cyber does not create local backups at all.

  • Stellar Cyber does not back up user activity logs to external snapshot storage. This can help minimize disk space in deployments with a high amount of public API calls, all of which are stored in user activity logs.

You enable minimal_backup mode with the set mode minimal_backup enable command. The syntax is provided below:

Copy
DataProcessor(AIO)> set mode
MINIMAL_BACKUP: exclude certain usage data from configuration backups to save disk space
DataProcessor(AIO)> set mode minimal_backup enable
DataProcessor(AIO)> set mode minimal_backup disable
DataProcessor(AIO)> show mode
Minimal Backup:        Disabled