JSA long term log restores

‎05-19-2020 01:14 PM


we are allowed to keep the logs (events and flows) for 30 days, only. But I case of cases, the chosen data of backups 3 months should be restoreable.

The idea is as follows:

  • backup of conf and data is done once at night (done)
  • set retention time of logs and flows to 30 days (done)
  • a script moves the file to a remote server and are kept there for 90 days (done)
    • can be combined with a GPG key pair to avoid unrestricted access

Question 1: For the cases of analysises of security events in the past, we want to restore older data. In case of restoring the backup (e.g. 48 days ago), do I do an entire time journey (worst case) or are the captured data of the previous 47 days still available (best case)?

Question 2: We have separated collectors, processors, data nodes and consoles. Do we have to restore all data serving hosts (processors, data nodes, consoles) at the same time?