Server management
This section provides an overview of managing your servers. This section will discuss the following topics:
For more information about server backup and recovery information, see https://dev.mysql.com/doc/refman/8.0/en/backup-and-recovery.html.
Data retention
The server will save data based on your data retention settings. Data retention settings will depend on your company standards. Data retention settings will also vary based on whether you are doing an investigation. Typically, most companies will keep data for two to three months maximum. You will also want to consider the amount of data being collected by the rules, the amount of data being stored, and the size of the server(s).
The Nuix Adaptive Security server data retention feature will drop data for some of the event and summary tables based on the time settings. For example, if you have 60 days of data and you set a 30-day data retention then the files that are exactly 30 days old are deleted. If you have files that are 31 to 60 days old, then they will not be deleted, and you will need to manually delete them.
The partition data is dropped by date, so it will start dropping partitions that are 30 days old and every day after that. The number of days is configurable.
The more data you store the more disk space and memory it uses and it also slows down the application. There is a balance between the needs of the company regarding how long they need the data and how much memory/storage they have available.
Monitor the server and if it starts to deteriorate you may want to consider moving to a bigger server or deleting more data.
Back up data
The database is locked during backup. For best results, do a backup from a secondary server, especially if you are running backups daily or weekly. You may want to consider a backup strategy and interval.
If there is a server outage, the agents will collect data locally until they run out of space. Eventually, the agent space will fill up but it depends on the rules and amount of data that is stored.
Once the server is available, the agents will send data as fast as they can to catch up. This may take some time depending on the amount of data.
Generally, each enterprise should refer to their company’s requirements for how often their systems are backed up.
Back up the server database from MySQL workbench
You may need to have a secondary database that you use for backups and you may need to ensure that the entire server is backed up at one time.
See the MySQL site for more information on backups, https://dev.mysql.com/doc/refman/8.0/en/backup-and-recovery.html. You may also want to refer to your enterprise backup solution.
Single back up
To perform a single server back up in MySQL Workbench:
Note: Do not use the single server back up procedure as a regular weekly or daily back up on a busy system because the system is locked during the back up process.
In MySQL Workbench on the Administration tab, under Management, click Data Export.
Select all schemas except sys.
Click Advanced Options and check the box for "hex-blob".
Ensure the menu says "Dump structure and data."
Under Objects, check the following boxes:
Dump stored procedures and functions
Dump events
Dump triggers
Select the Export to self-contained file check box.
Select the Create dump in a single transaction check box.
Select the Include Create Schema check box.
Operating system updates
Refer to your organization’s policy when updating your operating system. Consider keeping your Windows operating systems current with the latest Windows updates.
Back up agent certificates
There are two sets of certificates that you will need for the server to communicate with the agents, the agent certificate set and the API/Application certificate set. You need two sets of certificates for the server to communicate with the agents.
The agent certificate set is used to allow the agent to communicate to Nuix Adaptive Security. This is important because if the certificates are lost, the agents are orphaned, and you will have to redeploy the agents.
You can find the agent certificates here:
C:\Program Files\Nuix Adaptive Security\Endpoint Server\Data
Save the following files:
ca.key
ca.cert.pem,
server.cert.pem
server.key.pem
dhparam4096.pem.
Endpoint Server log files – These are helpful for troubleshooting.
You must copy and paste this folder and store it in a safe place that is backed up regularly.
Back up the configuration file in case it has been customized in any way. This is the config.txt file that is in the same directory as the files above.
The API/Application certificate is used to run the Nuix Adaptive Security API and application. This certificate is not as critical, however, you may see some pop-up notifications in your web browser if it expires or is not available.
You can find the API/Application certificate here:
C:\ProgramData\Nuix\Endpoint\Data\Certificates
Log files locations
This section describes the server log file locations for Nuix Adaptive Security. There are two main log file locations: the system running the Nuix Adaptive Security Endpoint Server and the system running the Nuix Adaptive Security Application.
To view the latest NUIX EPS, Database Error, and Database Query files:
For a new install, you can find the files here:
C:\Program Files\Nuix\Adaptive Security\Endpoint Server\Data\Logs
If your system was upgraded from a previous version, the files are located here:
C:\Program Files\Nuix Adaptive Security Endpoint Server\Data\Logs
This log location is where the Nuix Adaptive Security Endpoint Server logs the interactions with the endpoints and the database.
To view the MySQL log activities, errors, and slow queries:
C:\ProgramData\MySQL\MySQL Server 5.7\Data
Or
C:\ProgramData\MySQL\MySQL Server 8.0\Data
To view the Internet Information Services (IIS) log events:
C:\inetpub\logs\LogFiles\W3SVC1
To view the Web.config file:
C:\inetpub\Adaptive\Web.config
In the Web.config you can change the maximum number of events that are displayed in some of the grids.
For example, you can increase the number of process events that are viewed at one time in a process grid from 10,000 to 20,000 by changing the value after "ViewLimitProcessEvent" to 20,000.
To view the installer logging:
C:\Programdata\Nuix\AdaptiveSecurity/InstallerLog
To view the application logs on the system where the application is installed:
C:\ProgramData\Nuix\Adaptive Security\Logs
You can also find application log data in the database diagnostic table.
To view the Web API logs:
C:\ProgramData\Nuix\Adaptive Security\Logs\WebApi
You can also view them here:
C:\inetpub\logs\LogFiles
To view the configuration files for the application:
%user%AppData\Local\Temp\Nuix
If the application is not responding as expected, you may delete these files and the application will recreate them when it starts.
Use the Windows Event Viewer to see entries in the event log when a service starts or stops.
To view certificates, audit configuration, and consul data store:
c:\programdata\nuix\endpoint\data