QRadar Console-only DR by using Data Synchronization app

In a large distributed deployment, the collectors, processor, and consoles are distributed geographically. If one of the data centers is not functional, the other data centers that operate normally can be used. In such a scenario, the failover operation is not needed for the entire environment. However, if you want to perform the failover operation only for console, you can use the QRadar Console-only DR feature. This feature restores the managed host to the destination site.

Console-only DR implementation is useful for customers in the following scenarios.
  • An actual disaster recovery where the console is not available but the other deployment hosts are still running.
  • A disaster recovery exercise where the main site is still available during the disaster recovery process.

Prerequisite

Complete the following prerequisites before you begin with Console-only DR procedure:
  1. Ensure that both IBM® QRadar consoles (main and destination console) are installed with the same software version, which is UP11 or later. Data Synchronization App version must be 3.2.1 or later.
  2. The destination site must have only a console.
  3. You must have network access between managed host to main and the DR site before the failover or failback operation. If any managed host is not reachable to DR sites, it is shown as an unknown host.
  4. Ensure that you logged in using the 'admin' username to perform failover and failback operations.
  5. Ensure that backups are generated and transferred on both sites before and after failover and failback operation.
  6. Only root user can run the SSH activities for the failover and failback operations.
  7. If you want to restore app volume data on the destination site, you must generate an app volume backup before failover operation.
    1. Ensure that the app volume backup timer and jobs are turned on (systemctl status app_sync.timer and systemctl status app_sync.service) for auto transfer to work as required. This feature is only available to the main site console.
    2. When apps are installed on the console, your app volume backup gets an auto transfer to the destination site.
    3. When apps are installed on the AppHost, move all installed apps to the main site console before you run the failover and failback operations.
    4. The following procedure is an example of generating an app volume backup.
      1. See Backing up and restoring app data to back up an app volume data.
      2. Transfer the app volume backup from the main site console to the destination site console by running the following command on the main site console.
        systemctl start app_sync
      3. Verify the transfer on the destination site console directory (/store/app_sync/backups). If the transfer is unsuccessful or with issues, copy the app volume backup from the main site console (/store/apps/backup) directory to the destination site console (/store/app_sync/backups) directory.
  8. If HA configuration exists in the environment, remove HA Configuration from Main Site and DR site before failover and failback operations. You can add HA after you complete the failover and failback operations.
  9. Before you perform a failback operation, ensure that no managed hosts are on the main site. If any managed hosts are on the main site, you must remove them from the main site, take a fresh backup and then perform the failback operation.

Procedure

To enable the Console-only DR feature, set up the console for the remote destination site. For deployments with managed hosts where console DR resiliency is needed, switch deployment from the main site to a destination site. You can use Data Synchronization app to resolve issues for deployment that have multiple sites. The original site serves as the main site for these operations, while the disaster recovery site serves as the destination site. You can switch the deployment control back to the main site from the destination site and reactivate the main site.

To implement the Console-only DR feature, use the following procedure.