Backing up and restoring app data

Use the app-volume-backup.py script to back up and recover app data.

About this task

A configuration backup that you do on the backup and Recovery window does not back up your apps' data. The /opt/qradar/bin/app-volume-backup.py script runs nightly at 2:30 AM, and backs up each installed application's /store mounted volume. By default, data is retained for 7 days.

Use the script to do the following tasks:

  • Back up data manually for installed apps.
  • List all installed app data backups on the system.
  • Restore data for installed apps.
  • Run the retention process and set the retention period for backups.

This script is on both the QRadar® Console and the App Host if one is installed. The script backs up app data only if apps are on the current host.

Procedure

  1. Use SSH to log in to your Console or your App Host as the root user.
  2. Go to the /opt/qradar/bin/ directory.
    • Use the following command to back up app data:
      ./app-volume-backup.py backup

      The app-volume-backup.py script runs nightly at 2:30 AM local time to back up all installed apps. Backup archives are stored in the /store/apps/backup folder. You can change the backup archives location by editing the APP_VOLUME_BACKUP_DIR variable in /store/configservices/staging/globalconfig/nva.conf. You must deploy changes after you edit this variable.

    • To view all data backups for installed apps, enter the following command:

      ./app-volume-backup.py ls

      This command outputs all backup archives that are stored in the backup archives folder.

    • To restore a backup archive, enter the following command:

      ./app-volume-backup.py restore -i <backup_name>

      Use the ls command to find the name of a backup archive.

    • By default, all backup archives are retained for one week. The retention process runs nightly at 2:30 AM local time with the backup.
      • To perform retention manually, and use the default retention period, enter the following command:

        ./app-volume-backup.py retention

      • You can also set the retention period manually by adding -t (time - defaults to 1) and -p (period - defaults to 0) switches.

        The -p switch accepts three values: 0 for a week, 1 for a day, and 2 for an hour.

        For example, to set the retention period for a back up to 3 weeks, enter the following command:

        ./app-volume-backup.py retention -t 3 -p 0

    • If you want to change the retention time that is used by the nightly timer, add flags to the retention command found in the following systemd service file.

      /usr/lib/systemd/system/app-data-backup.service

      For example, to change the retention period that is used by the nightly retention process to 5 days, locate the following line:

      ExecStart=/opt/qradar/bin/app-volume-backup.py retention

      Replace it with:

      ExecStart=/opt/qradar/bin/app-volume-backup.py retention -t 5 -p 1

      Save your changes, and run the systemctl daemon-reload command for systemd to apply the changes.

  3. Use the following command to restart each app container: 
    docker restart <container_id>

    If you don't know the container ID, use the following commands to find it:

    psql -U qradar -c 'select id, name from installed_application'

    The command returns the app ID. Insert the app ID into the following command to find the container ID:

    docker ps -a --format "{{.ID}},{{.Image}}" | grep 'qapp/<app_id>:' | cut -d , -f1