To perform a backup, you must run all commands on the primary and minion systems unless otherwise noted. Perform all steps on all standalone servers.
Prerequisites
All procedures require root-level access.
Procedure
- Stop Carbon Black EDR services.
- Copy and save all entries in the Carbon Black server section from /etc/hosts that are marked by
{{BEGIN - CB Server}} and {{END - CB Server}}comments to a remote location. There might not be a Carbon Black server section, or the section might be empty. - Issue the following commands to back up files. (Not all files exist on some systems or installations.)
tar -P --selinux -cvf cbssh.tar /etc/ssh/ tar -P --selinux -cvf cbconfig.tar /etc/cb/ tar -P --selinux -cvf cbrootauthkeys.tar /root/.ssh/authorized_keys tar -P --selinux -cvf cbinstallers.tar /usr/share/cb/coreservices/installers/ tar -P --selinux -cvf cbcrons.tar /etc/cron.d/cb
- You can perform a full backup, or you can skip event core backups if migration space is limited. Issue one of the following commands.
Full backup:
tar -P --selinux -cvf cbdata.tar /var/cb/
Backup without event core:tar --exclude=/var/cb/data/solr?/cbevents/* -P --selinux -cvf cbdata.tar /var/cb
- Back up custom changes from the following locations:
/etc/rsyslog.conf /etc/rsyslog.d/ /usr/share/cb/syslog_templates (on primary machine only)
- Custom syslog changes might be specified in the /etc/cb/cb.conf file. Search the file for any
SyslogTemplate=entries. For example:WatchlistSyslogTemplateBinary=/var/custom/syslog/ watchlist_binary_custom.template
- Copy and save all entries in the Carbon Black server section from /etc/hosts that are marked by
- Save tar data to a remote location.
