• Support
  • Forums
  • Blogs

Differences Total Event when Restore Backup File

rizky.yuodirizky.yuodi

New Life Form
Hi All,

I am using 2 SIEM, USM and Ossim. i have backed up file event from USM and i restored file backup to OSSIM. but i found the total event is different with original event. For example :
event sshd in original SIEM(USM) total : 80.428 event, but in backup file SIEM (OSSIM) total event :56.919.
logicaly it must be same.

and my question, why it have difference between total in original siem (USM) and total in backup siem (OSSIM) ?

pic . original event
original event

pic. backup event
backup event

Share post:

Answers

  • rizky.yuodi,

    If you are using the event backups created by the system, those are not a backup of all the events n the system, but a backup of the events being rotated off due to expiration. Those would not be expected to be the same count as they are not the same dataset.

    If you are dong a manual backup and restore fo the tables, you will need to first make sure that the alarms associated with events exist as well, as some expired events will be retained if associated with an alarm which has not expired. This could additionally lead to a difference in the event count.


    It is of note that events are actually designed to expire and be removed form the event DB in order to preserve database functionality. The backups are actually designed for reloading a particular days rotation for investigation of previous days events. Compliance retention and long term storage, are managed by Raw Log retention, which is not supported in OSSIM, and would need to be handled by a secondary solution such as an external syslog server.
Sign In or Register to comment.