Backup and recovery

You can back up and recover IBM® QRadar® configuration information and data.

You can use the backup and recovery feature to back up your event and flow data; however, you must restore event and flow data manually. For more information, see Restoring data.

Each managed host in your deployment, including the QRadar Console, creates and stores all backup files in the /store/backup/ directory. Your system might include a /store/backup mount from an external SAN or NAS service. External services provide long term, offline retention of data, which is commonly required for compliancy regulations, such as PCI.

By default, at midnight QRadar creates a daily backup archive of your configuration information. The backup archive includes configuration information, data, or both from the previous day. The size of your backup will depend on the amount of event data from that day.

You can use two types of backups: configuration backups and data backups.

Important: Individual QRadar managed hosts do not have their own nightly configuration backup files. The QRadar Console's configuration backup is a single file that contains a full database backup of all configuration parameters for all hosts in the deployment. All configuration backups are stored on the QRadar Console by default.

Configuration backups include the following components:

Application configuration
Assets
Custom logos
Custom rules
Device Support Modules (DSMs)
Event categories
Flow sources
Flow and event searches
Groups
Index management information
License key information
Log sources
Offenses
Reference set elements
Store and Forward schedules
User and user roles information
Vulnerability data (if IBM QRadar Vulnerability Manager is installed)

Data backups include the following information:

Audit log information
Event data
Flow data
Report data
Indexes

The data backup does not include application data. To configure and manage backups for application data, see Backing up and restoring app data.