Restore QRadar configurations and data

Restoring a backup archive is useful if you want to restore previously archived configuration files, offense data, and asset data on your IBM® QRadar® system.

Before you restore a backup archive, note the following considerations:

  • You can restore only a backup archive that is created within the same release of software and its software update level. For example, if you are running QRadar 7.4.3 p1, make sure that the backup archive is created on the QRadar 7.4.3 p1 Console.
  • The restore process restores only your configuration information, offense data, and asset data. For more information, see Restoring data.
  • If the backup archive originated on a NATed Console system, you can restore only that back up archive on a NATed system.
  • You cannot complete a configuration restore on a console in which the IP address matches the IP address of a managed host in the backup.
Restriction: Your restore might fail if you are taking a configuration from another deployment and run the qchange_netsetup utility to change the private IP address of the console. The qchange_netsetup utility modifies the deployed configuration, but not the backup one. When you perform a restore, the backup configuration is read, and the restore might convert components with the wrong IP address.
If possible, before you restore a configuration backup, run an on-demand backup to preserve the current environment. The following description is a high-level view of the configuration restore process:
  • Tomcat is shut down
  • All system processes are shut down.
  • All files are extracted from the backup archive and restored to disk.
  • Database tables are restored.
  • All system processes are restored.
  • Tomcat is restarted.
  • If you are restoring WinCollect data, you must install the WinCollect SFS that matches the version of WinCollect in your backup before you restore the configuration. For more information, see WinCollect files are not restored during a configuration restore
  • When you do a cross deployment restore or when you restore after a factory reinstall, the managed host that is attached to the original console is automatically pointed to the newly restored deployment. However, any changes before the restore regarding deployment (add or remove managed hosts), causes the restore process to fail.

For more information about how to back up or restore an archive, see the following topics.