9. Application Maintenance¶
9.1. Backup and Recovery¶
It’s important to make sure your Cyber Triage® data is backed up. This section outlines the key concepts for that. The procedures outlined in this section assume that the backed up data will be restored to the same versions of Cyber Triage and, if applicable, PostgreSQL.
9.1.1. Data Directory¶
All versions save a lot of data to the “data directory”, which by default is the AppData\Local\cybertriage
folder for the user that Cyber Triage® is running as. This directory should be backed up.
You can see the specific path in the General tab of the Options panel.
Note that it is possible to change the data directory (as outlined in Changing Where Data is Stored). If you do that, ensure the new directory is also backed up.
The “SessionFiles” folder in the “Data Directory” will contain copies of previously imported hosts. You can exclude these from the backup to save space.
9.1.2. PostgreSQL¶
If you have a Team deployment with PostgreSQL, then refer to its standard procedures for updating (including security patches) and backing up the PostgreSQL databases.
9.2. Reducing Data Directory Size¶
Cyber Triage stores copies of previously imported hosts in the “SessionFiles” folder in the “Data Directory”. These exist to ensure that you can reload data that comes in from over the network in case of corruption or crash.
You can configure Cyber Triage to periodically delete old copies of these files. These settings are available in the General tab in the Options panel.
9.3. Team Security Monitoring¶
The Team Server has network ports that are always listening. You can review the log files for brute force attempts to guess the security tokens.
The ‘rest-api.log’ file will have errors when an incorrect token is used or non-existent host or incident names are used.
For example:
ERROR [11:23:01.522] [xx-85 - POST /api/app-config/validate-credentials] c.b.d.c.c.c.ConfigManagerServerImpl - AUTHENTICATION FAILURE. Reason: invalid user credentials - userId or password does not match.