Guardium Data Management

Typically, no more than one or two months worth of audit data is stored on an appliance (or
as little as a few days), to save disk space and maintain performance. However, auditors
might require to keep audit data available for a few years. Guardium® provides the
mechanism to archive audit data in chunks of one day and store them on a remote location.
Configure the archive process during implementation to run daily. Configure archive and
purge as part of your overall data management policy.

Archiving and Purging

Archiving and purging data on a regular basis is essential for the health of your Guardium®
system. Archive preserves information for future use. Purge frees up space and speeds up
access operations on the internal database. For the best performance, archive and purge all
data that is not needed. For example, if you only need 2 months of data on the Guardium
appliance, archive and purge all data that is older than 60 days.

If both archive and purge are scheduled, purge runs after archive.
Data that was archived on a collector can be restored either on another collector or an
aggregator server. Data that was archived on an aggregator cannot be restored on a
collector.
The export, archive, and purge functions can work on the same data, but not the same date
ranges. For example, you may want to export and archive all information older than one day
and purge all information older than one month, thereby always leaving one month of data
on the sending unit
1. Go to Manage > Data Management > Data Archive.
2. To archive, check the Archive checkbox. More fields display in
the Configuration page.
3. For Archive data older than, enter a value and select a unit of time from the menu.
For example, to archive data from yesterday, enter the value 1, and
select Day(s) from the menu.
4. In Ignore data older than enter the time interval to archive. For example, to archive
one day's data, enter 2. Any value that is specified here must be greater than
the Archive data older than value. If you leave this field blank, you archive data
for all days older than the value specified in Archive data older than. If you archive
daily and purge data older than 30 days, you archive each day of data 30 times
(before it is purged on the 31st day).
5. Check the Archive Values checkbox to include values from SQL strings in the
archived data. If this box is cleared, values are replaced with question mark
characters on the archive (and hence the values are not available following a restore
operation).
6. Select a Protocols option, and enter the appropriate information. Depending on how
your Guardium system is configured, one or more of these buttons might not be
 available. For a description of how to configure the archive and backup storage
methods, see Configuring external storage or File Handling CLI Commands.
7. Optional: Use the Scheduling section to define a schedule for running this operation
regularly.
8. Click Test connection The system attempts to verify the configuration by sending a
test data file to that location. If the operation fails, an error message displays and the
configuration is not saved.
9. Click Save to save the configuration changes. The system attempts to verify the
configuration by sending a test data file to that location. If the operation fails, an
error message is displayed and the configuration is not saved.
10. Optional: Click Run Once Now to run the operation now.

Restoring archived data

Archives are written to an SCP or an FTP host, or to another external storage system.
Archived files are restored by retrieving them through the archive catalog. The Data and
Result catalogs, on each Guardium system, track archived files. A new record is added to the
catalog whenever the appliance archives data or results. The catalog tracks where every
archive file is sent so that the archive files can be retrieved and restored with minimal effort
at any point in the future. To restore archives, you must copy one or more archive files to
the Guardium system on which the data is to be restored.

Each day's data is in a separate file. Depending on how your archive and purge operations
are configured, you might have multiple copies of archived data for the same day. For
example, you schedule archive to run more than once per day; you click Run Once Now a
couple of times; or the archive is scheduled to run and you also click Run Once Now.

Unless you are restoring data from the first archive that was created during the month, you
need to restore multiple days of data because of the incremental archive strategy. All
information that is needed for a restore operation is archived automatically, the first time
that data is archived each month. Use one of these two methods to restore data:

Restore the first day of the month and all the following days until the target date.

Restore the target date and then the first day of the following month.

For example, to restore 28 June, either restore 1 June through 28 June, or restore 28 June
and 1 July.

Restoring archive files from older versions into newer version appliance is supported for
both collector and aggregator archive files. Restoring archive files into different or newly
built appliances is supported. However, the “shared secret” used to archive on the original
appliance must be the same as on the target appliance.
Restored audit data can be viewed as the regular audit data by using interactive or audit
process reports.

Before you begin

On a Guardium collector, stop the inspection-core process by running CLI command stop
inspection-core.
If the archive file was created on a different Guardium system, verify that the system shared
secret used by the Guardium system that encrypted the file is available on this system.
Otherwise, it cannot decrypt the file. See About System Shared Secret.

Procedure
Go to Manage > Data Management > Data Restore.

The Data Restore Search Criteria window opens.

Select From and To dates to specify the time range for which you want data.

The Data Restore Search Results pane opens.

Optional: To filter the search results, enter the Host Name of the Guardium system from
which the archive originated.

Click Search.

The Data Restore Search Results page opens, showing the records for all archive files from
this Guardium system.

Optional: To prevent purging of restored data even though it meets the purge requirements
on the target restore Guardium system: enter the number of days that you want to retain
the restored data on the system in the Don't purge restored data for at least field, and click
Apply. Check the Select checkbox for each archive you want to restore.

Click Restore.

Click Done when you are finished. What to do next

Verify that the restore operation status in Manage > Reports > Data Management >
Restored Data is Succeeded.