Backing up and restoring the data of the Central Node server in distributed solution and multitenancy mode

This scenario describes the procedure for backing up and restoring data on Central Node servers deployed in distributed solution or multitenancy mode.

To back up and restore data when using the distributed solution and multitenancy mode, you must connect to each Central Node server in the hierarchy and follow the steps of the instructions below.

Backing up and restoring data on Central Node servers deployed in distributed solution or multitenancy mode involves the following steps:

Creating a backup copy

You can create a backup copy using the administrator menu or in Technical Support Mode:

How to create a backup copy in the administrator menu

How to create a backup copy in Technical Support Mode

Saving the backup copy to the hard drive

To save the backup copy on the hard drive of your computer, run the following command:

scp <name of the account used for working in the administrator menu and in the server management console>@<IP address of the server>:<name of the backup file of the form: data_kata_<date and time of backup copy creation>.tar>

Example:

Command for downloading to the hard drive of your computer a backup copy created on a Central Node server with the IP address 10.0.0.10 under the 'admin' account on April 10, 2020 at 10 hours 00 minutes 00 seconds:

scp admin@10.0.0.10:data_kata_2020_04_10T10_00_00.tar

The backup copy is saved to the current directory on the hard drive of your computer.

Reinstalling the application
Remove and reinstall Kaspersky Anti Targeted Attack Platform.

Data can be restored from backup only to a server with the Central Node role. If you assign the PCN or SCN role to the server before you begin, the restoration process will fail.

When installing the application, you need to specify the same network mask for addressing servers that was specified in the backup copy of the application. If the values do not match, the Embedded Sensor encounters an error after the restoration of the application. If necessary, you can restore the component.

After installation, you must add license keys of the same types (KATA, KATA + NDR, KEDR) to the application as were added on the server where the backup copy was created. This is necessary to restore all the Central Node, PCN, or SCN settings saved in the backup copy.

Uploading a backup copy to the server

Upload your backup copy to the Central Node server by running the following command:

scp <name of the backup file of the form: data_kata_<date and time of backup copy creation>.tar> <name of the account used for working in the administrator menu and in the server management console>@<IP address of the server>:

Example:

Command for uploading a backup copy created on April 10, 2020 at 10 hours 00 minutes 00 seconds to the Central Node server with the IP address 10.0.0.10 under the 'admin' account:

scp data_kata_2020_04_10T10_00_00.tar admin@10.0.0.10:

The backup copy is uploaded to the current directory on the Central Node server.

Restoring data from a backup copy

You can restore data from a backup copy on the Central Node server using the administrator menu or in Technical Support Mode:

How to restore data in the administrator menu

How to recover data in Technical Support Mode

If the hardware configuration of the Central Node server on which the backup copy was created differs from the hardware configuration of the server on which you are planning to restore the server settings, you need to reconfigure the application scaling settings after restoring.

After restoring the data, you do not need to reconnect the SCNs to the PCN: the PCN connection settings and the list of connected SCNs are restored from the backup copy.

The backup copy of server settings does not contain PCAP files of recorded mirrored network traffic. You can save and restore PCAP files on your own by copying them from the /data/volumes/dumps directory of the connected storage. After restoring data, you must connect your external storage.

Limitation that applies when restoring data in distributed solution and multitenancy mode

After restoring data in the distributed solution and multitenancy mode, new alerts created by the AM technology may not be displayed in the table of alerts. You can check whether the limitation applies to you and take steps to fix it, if necessary.

To see if new alerts are being displayed in the alerts table:

Enable the monitoring point for the Sensor that you are using.
If you are using a stand-alone Sensor, use SHH or a terminal to log in to the management console of that Sensor server.
If you are using the Embedded Sensor, log in to the management console of the Central Node server that hosts the Embedded Sensor over SSH or using a terminal.
If the Central Node is deployed as a cluster, you need to log in to the management console of the worker server on which mirrored SPAN traffic processing is enabled.

How to find out the address of this server
1. Enter the management console of any functioning cluster server over SSH or using a terminal.
2. When prompted, enter the user name and password of the administrator account of the application component.
  The application component administrator menu is displayed.
3. In the list of sections of the application administrator menu, select the Technical Support Mode section.
4. Press Enter.
  This opens the Technical Support Mode confirmation window.
5. Confirm that you want to manage the application in Technical Support Mode. To do so, select Yes and press Enter.
6. Determine the address of the worker server in the cluster on which mirrored SPAN traffic processing is enabled:
  sudo docker node ls -q | sudo xargs docker node inspect -f '{{ if eq (index .Spec.Labels "infrastructure.span") "true" }}{{ .Description.Hostname }}{{ end }}'
  
  The address of the worker server in the cluster on which mirrored SPAN traffic processing is enabled.
7. Log in to the management console of this server using the SSH protocol:
  ssh admin@<server address obtained at step 6>
When the system prompts you, enter the administrator user name and the password that was specified during installation of the component.
The application component administrator menu is displayed.
In the application administrator menu, select Technical Support Mode.
Press ENTER.
This opens the Technical Support Mode confirmation window.
Confirm that you want to manage the application in Technical Support Mode. To do so, select Yes and press ENTER.
Run the following command:
watch "curl http://127.0.0.1:9191/metrics | grep preprocessor_files_extracted_fromhttp"

If 0 is displayed for the preprocessor_files_extracted_fromhttp field, follow the steps below to remove the limitation.

To remove the limitation when using Embedded Sensor:

Log in to the management console of the Central Node server that hosts the Embedded Sensor over SSH or using a terminal.
If the Central Node is deployed as a cluster, you need to log in to the management console of the worker server on which mirrored SPAN traffic processing is enabled.

How to find out the address of this server
1. Enter the management console of any functioning cluster server over SSH or using a terminal.
2. When prompted, enter the user name and password of the administrator account of the application component.
  The application component administrator menu is displayed.
3. In the list of sections of the application administrator menu, select the Technical Support Mode section.
4. Press Enter.
  This opens the Technical Support Mode confirmation window.
5. Confirm that you want to manage the application in Technical Support Mode. To do so, select Yes and press Enter.
6. Determine the address of the worker server in the cluster on which mirrored SPAN traffic processing is enabled:
  sudo docker node ls -q | sudo xargs docker node inspect -f '{{ if eq (index .Spec.Labels "infrastructure.span") "true" }}{{ .Description.Hostname }}{{ end }}'
  
  The address of the worker server in the cluster on which mirrored SPAN traffic processing is enabled.
7. Log in to the management console of this server using the SSH protocol:
  ssh admin@<server address obtained at step 6>
Raise the privileges of the user by running the following command:
sudo -i
Run the following commands:
kata-sensor-tool reset

kata-sensor-tool reset-core

kata-sensor-tool init-embedded-sensor
Verify that a new alert is displayed in the table of alerts by following the steps of the instructions for checking new alerts.

The limitation is removed.

To remove the limitation when using a Sensor installed on a server separately from Central Node:

Delete the connected Sensor in the Kaspersky Anti Targeted Attack Platform web interface.
Log in to the management console of that Sensor via the SSH protocol or through a terminal.
Raise the privileges of the user by running the following command:
sudo -i
Run the following command:
kata-sensor-tool reset
Reconnect the Sensor to the Central Node.
Verify that a new alert is displayed in the table of alerts by following the steps of the instructions for checking new alerts.

The limitation is removed.

Page top

Required parameter	Parameter	Description
Yes	`-b <path>`	Create a backup copy at the specified path, where <path> is the absolute or relative path to the directory in which you want to create the backup copy.
No	`-c`	Clear the directory before saving the backup copy.
No	`-d <number of stored files>`	Specify the maximum number of backup files stored in the directory, where <number> is the number of files.
No	`-e`	Save files in Storage.
No	`-q`	Save files in quarantine.
No	`-a`	Save files awaiting rescan.
No	`-s`	Save Sandbox artifacts.
No	`-n`	Save Central Node or PCN settings.
No	`-l <filepath>`	Save the command execution result to a file, where <filepath> is the name of the event log file, including the absolute path or relative path to the file.