Restoring a backup archive

You can restore a backup archive. Restoring a backup archive is useful if you have a system hardware failure or you want to restore a backup archive on a replacement appliance.

About this task

You can restart the Console only after the restore process is complete.

The restore process can take up to several hours; the process time depends on the size of the backup archive that must be restored. When complete, a confirmation message is displayed.

A window provides the status of the restore process. This window provides any errors for each host and instructions for resolving the errors.

The following parameters are available in the Restore a Backup window:

Table 1. Restore a Backup parameters
Parameter Description
Name The name of the backup archive.
Description The description, if any, of the backup archive.
Type The type of backup. Only configuration backups can be restored, therefore, this parameter displays config.
Select All Configuration Items When selected, this option indicates that all configuration items are included in the restoration of the backup archive.
Restore Configuration

Lists the configuration items to include in the restoration of the backup archive. To remove items, you can clear the check boxes for each item you want to remove or clear the Select All Configuration Items check box.

Select All Data Items

When selected, this option indicates that all data items are included in the restoration of the backup archive.

Restore Data

Lists the configuration items to include in the restoration of the backup archive. All items are cleared by default. To restore data items, you can select the check boxes for each item you want to restore.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the System Configuration section, click Backup and Recovery.
  3. Select the archive that you want to restore.
  4. Click Restore.
  5. On the Restore a Backup window, configure the parameters.

    Select the Custom Rules Configuration check box to restore the rules and reference data that is used by apps. Select the Users Configuration check box to restore authorized tokens that are used by apps.

    The following table lists the restore configurations and what is included in each:
    Note: The content included in each configuration is not limited to the content that is listed.
    Restore Configuration Content Included
    Custom Rules Configuration
    • Rules
    • Reference Sets
    • Reference Data
    • Saved Searches
    • Forwarding Destinations
    • Routing Rules
    • Custom Properties
    • Historical Searches
    • Historical Rules
    • Retention Bucket Configuration
    Deployment Configuration All content.

    If you select this option, it is recommended that you select all other configuration options.

    Users Configuration
    • Users
    • User Roles
    • Security Profiles
    • Authorized Services
    • Dashboards
    • User Settings
    • User Quick Searches
    License
    • License keys
    • License Pool Allocations
    • License history
    Report Templates Report templates

    This does not include generated report content.

    System Settings
    • System Settings
    • Asset Profiler Configuration
    QVM Scan profiles and results QVM Scan profiles and results
    Important: The IBM® QRadar® Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6, and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability Manager: End of service product notification (https://www.ibm.com/support/pages/node/6853425).
    Installed Applications Configuration App configurations

    This does not include app data.

    Apps depending on authorized services might not work as expected if Users Configuration is not selected.

    When Installed Applications Configuration is selected, the Deployment Configuration group is auto-selected.

    Assets

    Asset model

    When Assets is selected, the Deployment Configuration group is auto-selected.

    Offenses
    • Offense data
    • Offense associations (for example, QID links, rule links, or asset links)
    • Offense searches
    • When Offenses is selected, the Deployment Configuration group is auto-selected.
    Important:

    When you restore to another system where only partial options are restored and rules are restored but related offenses are not. For example, when you restore deployment configuration without offenses.

    When you are restoring to a new or rebuilt system and if you had rules that created offenses that were indexed on custom properties of the system that the backup was created on, restore the offenses so that the offense types (offense indexed fields) are restored correctly.

    If this is not done, you need to edit any rules that create offenses indexed on custom properties and re-link them to the correct property again.

    The following default normalized fields are not affected by this.

    • Source IP
    • Destination IP
    • QID
    • Username
    • Source MAC
    • Destination MAC
    • Device
    • Hostname
    • Source port
    • Destination port
    • Source IPV6
    • Destination IPV6
    • Source ASN
    • Destination ASN
    • Rule
    • Application ID
    • Source identity
    • Destination identity
    • Search result
  6. Click Restore.
  7. Click OK.
  8. Click OK.
  9. Choose one of the following options:
    • If the user interface was closed during the restore process, open a web browser and log in to IBM QRadar.
    • If the user interface was not closed, the login window is displayed. Log in to QRadar.
  10. Follow the instructions on the status window.

What to do next

After you verify that your data is restored to your system, ensure that your DSMs, vulnerability assessment (VA) scanners, and log source protocols are also restored.

If the backup archive originated on an HA cluster, you must click Deploy Changes to restore the HA cluster configuration after the restore is complete. If disk replication is enabled, the secondary host immediately synchronizes data after the system is restored. If the secondary host was removed from the deployment after a backup, the secondary host displays a failed status on the System and License Management window.