Restoring data

You can use a restore script to restore data from a QRadar® Risk Manager backup.

Before you begin

The QRadar Risk Manager appliance and the backup archive must be the same version of QRadar Risk Manager. If the script detects a version difference between the archive and the QRadar Risk Manager managed host, an error is displayed.

About this task

Use the restore script to specify the archive that you are restoring to QRadar Risk Manager. This process requires you to stop services on QRadar Risk Manager. Stopping services logs off all QRadar Risk Manager users and stops multiple processes.

The following table describes the parameters that you can use to restore a backup archive.

Table 1. Parameters used to restore a backup archive to QRadar Risk Manager
Option Description
-f Overwrites any existing QRadar Risk Manager data on your system with the data in the restore file. Selecting this parameter allows the script to overwrite any existing device configurations in Configuration Source Management with the device configurations from the backup file.
-w Do not delete directories before you restore QRadar Risk Manager data.
-h The help for the restore script.


  1. Using SSH, log in your IBM® QRadar SIEM Console as the root user.
  2. Using SSH from the QRadar SIEM Console, log in to QRadar Risk Manager as the root user.
  3. Stop hostcontext by typing systemctl stop hostcontext.
  4. Type the following command to restore a backup archive to QRadar Risk Manager:

    /opt/qradar/bin/ -r /store/qrm_backups/<backup>.

    Where <backup> is the QRadar Risk Manager

    archive that you want to restore.

    For example, backup-2012-09-11-10-14-39.tgz.

  5. Start hostcontext by typing systemctl start hostcontext.