Hypothetical Scenario: Critical Manager Failure #1558
-
|
Hypothetical Scenario: In the case of a fatal Manager (the servers MoBo gets fried, the data center hosting it loses power), what would be the process for syncing the forwarders and search nodes to a new manager? Assuming PCAP is being forwarded from the sensors to long term storage, it seems to me biggest challenge would be getting the current search nodes to sync to a new manager server, which might be as simple as having a backup of all the manager and search nodes certs, and convincing the search nodes they are talking to the same manager. Assuming PCAP is not being forwarded, it seems to me we would still have to convince the existing forward nodes that they are talking to the same manager, so that we wouldn't lose pcap resident on the forward nodes. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
Open to ideas from the community! |
Beta Was this translation helpful? Give feedback.
-
|
Documentation still needs to be updated around backups but you could restore from backup on a new server with the same name/IP. You will at least need the following directories: /opt/so/saltstack You will lose any custom Kibana dashboards unless you backed up the ES data as well. |
Beta Was this translation helpful? Give feedback.
-
|
That's way more elegant than the rabbit hole I was going down. Thanks! I will build a backup strategy into our SOPs, and check back on the documentation occasionally. |
Beta Was this translation helpful? Give feedback.
Documentation still needs to be updated around backups but you could restore from backup on a new server with the same name/IP. You will at least need the following directories:
/opt/so/saltstack
/etc/salt
/etc/pki
You will lose any custom Kibana dashboards unless you backed up the ES data as well.