Backup and recovery
You can back up and recover IBM® QRadar® configuration information and data.
You can use the backup and recovery feature to back up your event and flow data; however, you must restore event and flow data manually. For more information, see Restoring data.
Each managed host in your deployment, including the QRadar Console, creates and stores all backup files in the /store/backup/ directory. Your system might include a /store/backup mount from an external SAN or NAS service. External services provide long term, offline retention of data, which is commonly required for compliancy regulations, such as PCI.
By default, at midnight QRadar creates a daily backup archive of your configuration information. The backup archive includes configuration information, data, or both from the previous day. The size of your backup will depend on the amount of event data from that day.
You can use two types of backups: configuration backups and data backups.
- Application configuration
- Assets
- Custom logos
- Custom rules
- Device Support Modules (DSMs)
- Event categories
- Flow sources
- Flow and event searches
- Groups
- Index management information
- License key information
- Log sources
- Offenses
- Reference set elements
- Store and Forward schedules
- User and user roles information
- Vulnerability data (if IBM
QRadar Vulnerability Manager is installed)Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6, and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability Manager: End of service product notification (https://www.ibm.com/support/pages/node/6853425).
- Audit log information
- Event data
- Flow data
- Report data
- Indexes
The data backup does not include application data. To configure and manage backups for application data, see Backing up and restoring app data.