Description
This article describes the steps on how to restore the CMDB on a new Supervisor if the administrator has a backup of it.
There are 2 scenarios:
- Restoring the CMDB to the same FortiSIEM device that it was created from (meaning the IP address of the FortiSIEM Supervisor and Workers are the same).
- Restoring the CMDB to a different FortiSIEM device, where the IP address of the FortiSIEM Supervisor and Workers are different from that of where the CMDB backup came from.
The initial steps for these 2 scenarios are the same but there are some additional steps for scenario 2. The old FortiSIEM device that is sourcing the CMDB will have to be the same version as the new FortiSIEM device. (For example: 3.7.1 to 3.7.1)
Solution
Here is a step by step guide for the 2 scenarios listed above.
1. On FortiSIEM go to /data/archive/cmdb
2. Copy the latest phoenixdb_<timestamp> file to a location (say "/tmp") on FortiSIEM
3. Shutdown most FortiSIEM processes by entering the commands bellow:
# service crond stop
# phtools --stop all (there are two “-“)
# killall -9 phMonitor
# killall -9 java
# phstatus (make sure all ph* processes are down including phMonitor)
4. Go to /opt/phoenix/deployment
5. Run the following command.
#db_restore.sh /tmp/phoenixdb_<timestamp>"
Skip to Step 14 if the CMDB is from the same FortiSIEM device (meaning they have the same IP address). Otherwise continue with the following steps.
6. Change values in CMDB as follows:
=> su postgres
=> psql -U phoenix -d phoenixdb
=> select * from ph_sys_conf where property=’svn_url’;
7.Svn_url row likely has a value of previous IP Address. This needs to be changed.
=> update ph_sys_conf set value=’https://<New-IP>/repos/cmdb’ where property=’svn_url’;
=> select * from ph_sys_server where id='1';
This will reference the OLD FortiSIEM IP address.
8. Ip_addr column likely has value of <Old-IP>. This needs to be changed.
=> update ph_sys_server set ip_addr=’<New-IP>’ where id='1';
9.If the SIEM has related Workers, then complete steps 10-12 otherwise skip to step 13.
10.Find entries for Workers. This will reference the OLD ForstiSIEM Worker IP addresses.
=> select * from ph_sys_server;
11.Update old FortiSIEM workers
=> update ph_sys_server set ip_addr=’<New-IP>’ where id=’<id from select statement run in above step>’;
12.Repeat for all workers
Example step 11-12 with 1 worker:
phoenixdb=> select * from ph_sys_server;
id | creation_time | cust_org_id | last_modified_time | owner_id | active | eps | ip_addr | mode | collector_id
---------+---------------+-------------+--------------------+----------+--------+-----+----------------+------+--------------
1 | 0 | 0 | 0 | 0 | t | 0 | 192.168.65.170 | 2 |
1485000 | 1390522301525 | 1 | 1390522301525 | 500151 | t | 0 | 192.168.65.171 | 1 |
To update Worker IP like step 11:
=> update ph_sys_server set ip_addr=’10.1.1.1’ where id=’1485000’;
13. Quit \q
14. Update SVN password as follows:
To reset the SVN password for the admin user, make sure to have SSH access to the FortiSIEM as a root user [This is a MUST]
14.1 - Check the current SVN password
cat /opt/phoenix/cache/<ip_of_your_FortiSIEM>/phoenix/rest/config/systemConfig/default.dat | grep -E -o "svn_password.{55}" | sed -n 's/.*value>\(.*\)</\1/p'
[eg. cat /opt/phoenix/cache/192.168.67.100/phoenix/rest/config/systemConfig/default.dat | grep -E -o "svn_password.{55}" | sed -n 's/.*value>\(.*\)</\1/p']
Results:
K1MroxhTAzyM!
Keep a note of this value.
Alternatively the same can be done by performing the following:
curl -k -u '1:Prospect@Hi123' 'https://<IP_OF_SERVER>:443/phoenix/rest/config/systemConfig' > /tmp/tmp.xml; grep -A 2 svn_password /tmp/tmp.xml
14.2 - Backup and removal of the admin password from the passwds file is needed.
cp /etc/httpd/accounts/passwds /etc/httpd/accounts/passwds.bak
vi /etc/httpd/accounts/passwds
There should be a line that is formatted with an encrypted password [eg. admin:LaHn9RxpcAE/Y]
press 'dd' and the line will delete itself
press [ESC] , [:] , [w] , [q] , [ENTER] - [eg. :wq]
This will save the file which is now empty and exit the VI interface
14.3 - Reset the SVN Password
htpasswd -cmb /etc/httpd/accounts/passwds admin <your saved password value from step "A">
[eg. htpasswd -cmb /etc/httpd/accounts/passwds admin K1MroxhTAzyM!]
14.4 - Verify
su - admin
svn ls file:///svn/repos
This is a physical folder location, if the svn has been moved, please verify the path before inserting it. This should result in the administrator being able to view the cmdb folder. [ie. cmdb/]
15. Reboot FortiSIEM.
