Backup and restore
To recover from any data loss that might occur, regularly back up the data in your IBM Security QRadar® Suite Software and integrated databases. You can use the backup and restore process to support a disaster recovery that requires a redeployment of your environment.
About this task
Component | Flag | Location | Naming convention |
---|---|---|---|
CouchDB | couch | /opt/data/backup/couchdb |
|
Postgres | pg | /opt/data/backup/pg |
|
Entitlements | entitlements | /opt/data/backup/entitlements |
|
New in 1.10.12QRadar Suite Software configuration | cp4sconfigurations | /opt/data/backup/cp4sconfigurations | cp4sconfigurations_YYYY_MM_DD_HH_MM_SS.tz |
Install Red Hat OpenShift CLI 4.14 or later
The Red Hat® OpenShift® CLI client helps you develop, build, deploy, and run your applications on any Red Hat OpenShift or Kubernetes cluster. It also includes the administrative commands for managing a cluster under the adm subcommand.
Procedure
Backing up QRadar Suite Software
To back up your databases for IBM Security QRadar Suite Software, you must run the backup scripts from within the Backup and Restore pod.
Before you begin
You need cluster administrator level privileges to complete the backup and restore process.
New in 1.10.12 You need to supply an AES-128 GCM key, an AES-192 GCM key, or an AES-256 GCM key to encrypt your backups.
In 1.10.11 and earlier, you need to supply a password to encrypt your backups.
To install QRadar Suite Software, you configure a suitable storage class in the cluster. You support the configuration with one or more persistent volumes of suitable size. For more information about storage, see Persistent storage requirements.
You provide secure storage for the backups that is mounted as a Persistent Volume Claim (PVC) in a pod. The backup and restore process uses a Backup and Restore pod, which contains all the necessary utilities that are required for the backup and restore process. The Backup and Restore pod is deployed automatically as part of the installation or upgrade of QRadar Suite Software.
For the backup data, you can opt to provision your own storage instead of using the default specified for installation. For more information, see Creating the backup and restore PVC.
About this task
The backup and restore process for QRadar Suite Software covers the main data stores within the system. The following table summarizes the main data stores for persistent storage.
New in 1.10.24 IBM® Security Case Management and Orchestration & Automation backup is now included as part of the PostgresSQL backup.
Application | Persistent storage |
---|---|
Platform Services (Profile, Entitlements, Connected Assets and Risk, IBM Threat Hunting Language, Threat Intelligence Service, Dashboards, Universal Data Insights) | CouchDB, PostgreSQL |
IBM Security Data Explorer | CouchDB |
IBM Security Case Management and Orchestration & Automation | PostgreSQL |
IBM Security Risk Manager | CouchDB, PostgreSQL |
IBM Security Threat Investigator | PostgreSQL |
IBM Security Threat Intelligence Insights | CouchDB |
IBM Detection and Response Center | PostgreSQL |
The secrets that are associated with the databases are backed up as part of the backup process.
The following conditions apply to the backup and restore process.
- LDAP configuration
- The LDAP configuration is managed through IBM Cloud Pak® foundational services and is not part of the QRadar Suite Software backup and restore process. If the LDAP configuration is lost, you must re-create it before you start the QRadar Suite Software restore process. For more information, see Configuring LDAP authentication.
- Data Explorer queries
- Data Explorer query results, including the results of queries that are saved in case artifacts, are not retained through the backup and restore process. After a backup and restore process is complete, if you try to open a preexisting query in Data Explorer from the case that was created in relation to it, an error is displayed.
When the backups are run, the data is stored on the PVC. Backup data is restored from the PVC that is mounted in the Backup and Restore pod. After the restore script is completed, the data is restored and the QRadar Suite Software system returns to the state at the time of the backup. Following a complete uninstallation of QRadar Suite Software, if previous backups are no longer required, the backup and restore components can be removed.
To run the backup script, you must provide an encryption password that must later be supplied to restore data from the backup.
Procedure
Scheduling QRadar Suite Software backup
IBM Security QRadar Suite Software provides a support action to schedule QRadar Suite Software backup.
Before you begin
To access the schedule_cp4s_full_backup action, you must install the command-line interface (CLI) utility cpctl from the cp-serviceability pod. For more information, see Installing the cpctl utility to access support actions.
About this task
The schedule_cp4s_full_backup action runs a Red Hat OpenShift Container Platform cron job that creates a backup regularly, according to your schedule.
Parameter | Default | Required | Description |
---|---|---|---|
--password | none | No | In 1.10.12 and later, an AES-128 GCM key, an AES-192 GCM key, or an AES-256 GCM key that is
used to encrypt the backup files. This key is required during the restore process. In 1.10.11 and earlier, a user-defined password that is used to encrypt the backup files. This password is required during the restore process. This password cannot be recovered if it is lost. When you use --password, --generate or --secret is not required. |
--generate | aes-256-gcm | No | Generate an AES-128 GCM key, an AES-192 GCM key, or an AES-256 GCM key that is used to
encrypt the backup files. This key is required during the restore process. The generated key is stored in the cp4s-backup-cron-secret secret. When you use --generate, --password or --secret is not required. |
--token | none | Yes | A token that the administrator generates by running oc whoami -t on the
local system. |
--schedule | ("0 0 * * */6") |
No | The cron job schedule that is used to set the schedule for the backup. |
--airgap | none | No | The local registry URL that was used to deploy IBM Security QRadar Suite Software. |
--disable | false | No | To disable (false) or enable (true) the scheduled backup. |
--keepfiles | 7 | No | To configure the maintenance process of the backup files. When the number of backup files that are maintained is greater than the value of this parameter, the oldest backup files are deleted. |
--secret | none | If !password | The secret name that is used to retrieve the AES key to encrypt the backup. When you use --secret, --password or --generate is not required. |
To set up a backup schedule, disable a scheduled backup, or configure the number backup files that are maintained, see the following procedures.
Procedure
Restoring QRadar Suite Software
When the restore process is completed, data is restored and the system returns to the state at the time of the backup. The corresponding databases are restored in the appropriate persistent volume of the IBM Security QRadar Suite Software instance.
Before you begin
Procedure
Results
After the restore is complete, allow up to 15 minutes for the pods to complete the restart operation. If the first attempt at restoring the system is not successful for any reason, the full restore procedure can be run again without any impact.
What to do next
- If users can't log in after you restore QRadar Suite Software from a backup, resynchronize LDAP directories. For more information, see Account, user, and entitlements troubleshooting.
- If you see a message after you restore indicating that the Threat Investigator automatic investigation user is no longer valid, see Automatic investigation user no longer valid.
- If you are using Threat Investigator Advanced, or any Threat Intelligence Insights external data sources, reconfigure them. For more information, see Enabling Threat Investigator and Configuring Threat Intelligence Insights external data sources.
Removing the backup and restore PVC
Following a complete uninstallation of IBM Security QRadar Suite Software, if previous backups are no longer required, the backup and restore components can be removed from the cluster by running the following command.
Before you begin
About this task
The command covers both deployment options for the Persistent Volume Claim (PVC) deployment, whether the PVC was deployed manually or automatically during installation.
Procedure
Configuring the number of backup files to keep
You can configure the number of backup files to keep on the cluster. When a backup is completed, any excess files over the configured number of files to keep are deleted.