Situations can arise wherein you need to use a USB drive for the system recovery of SIEM devices. This article provides examples of some of these situations. It explains how to use a system recovery USB drive to access SIEM devices, and how to mount the file system. Some of the situations wherein use of a system recovery USB drive is needed are as follows:
- To gain access to the SIEM file system without SSH, SCP, or the ability to log on
- To retrieve ngcp.dfl, Users.blob, and Users.data for a password reset
- To correct a GRUB error
- To run a file system check
Boot to a CD for troubleshooting purposes
- Download and burn SystemRescueCD.
- If you intend to use a USB drive as a boot device to install the SystemRescueCD, follow these instructions.
- Make sure that the System BIOS is configured to boot from the USB CD.
NOTE: You might need to change the boot order in the BIOS. Use the following function keys to access the BIOS or boot menus:
- F2 - Access BIOS menu
- F6 - Access boot menu
- F11 - Alternative boot menu access
- Boot the computer from the CD.
- When prompted, press Enter to continue the boot process.
Mount the USB drive
- Type blkid and press Enter. Look for anything with FAT, FAT32, or NTFS for the TYPE, and make note of the /dev/xxx name for it.
- Type mkdir -p /mnt/usb
NOTE: This example uses the name usb for the mount (/mnt/xxxxx). If you already have a mount called usb, use a different, descriptive name such as /mnt/thumbdrive.
- Type mount /dev/xxx /mnt/usb (where /dev/xxx is what you noted in step 1).
- Type cd /mnt/usb and press Enter.
- Type ls -al and press Enter.
This command lists the files on the USB disk. If it doesn't, you might have mounted the wrong disk.
Mount the Nitro file system
- When you're at the root@sysresccd /root % prompt, type the following commands, and press Enter after each:
NOTE: You're looking for the disk with LABEL="/". For further validation, it can show TYPE="ext4".
Typically, it's a third partition, so in /dev/_d_3 - the letters can change. The following example uses /dev/sda3.
In systems with RAID, it might show up as an md1 device. For example, /dev/md127p3.
- blkid
- mkdir -p /mnt/nitro
- mount /dev/sda3 /mnt/nitro
Copy files
- To upgrade:
- Copy the upgrade file:
- For Receiver, ELM, ADM, and ACE, copy the upgrade file from /mnt/usb to /mnt/nitro/usr/local/NitroGuard.
- For ESM, copy the upgrade file to /mnt/nitro/usr/local/ess/update.
- Restart the system and begin the update:
- You can execute shutdown -h now to shut down the system.
- Remove all USB devices before starting.
- Recover the password:
Copy the ngcp.dfl, Users.blob, and Users.data files from /mnt/nitro/usr/local/ess/data/ to /mnt/usb using the following commands:
cd /mnt/nitro/usr/local/ess/data
cp ngcp.dfl /mnt/usb
cp Users.blob /mnt/usb
cp Users.data /mnt/usb
- Examine the file system:
- Don't mount any file system that you're trying to view. If you've mounted it, unmount it using umount /dev/sdxxx.
- Type blkid and press Enter.
NOTE: You're looking for the disk with LABEL matching the filesystem that you have issues with. Typically it's /, but if in doubt, Technical Support can help you identify which filesystem needs repair.
- Type fsck /dev/sdxxx and press Enter.