Backing up and restoring app data

Use the app-volume-backup.py script to back up and recover app data.

1. Use SSH to log in to your Console or your App Host as the root user.
2. Go to the /opt/qradar/bin/ directory.
   • Use the following command to back up app data:

     ./app-volume-backup.py backup

     The app-volume-backup.py script runs nightly at 2:30 AM local time to back up all installed apps. Backup archives are stored in the /store/apps/backup folder. You can change the backup archives location by editing the APP_VOLUME_BACKUP_DIR variable in /store/configservices/staging/globalconfig/nva.conf. You must deploy changes after you edit this variable.

   • To view all data backups for installed apps, enter the following command:

     ./app-volume-backup.py ls

     This command outputs all backup archives that are stored in the backup archives folder.

   • To restore a backup archive, enter the following command:

     ./app-volume-backup.py restore -i <backup_name>

     Use the ls command to find the name of a backup archive.

   • New in 7.5.0To restore data for a specific application instance, rather than restoring all instances, enter the following command:

     ./app-volume-backup.py restore-interactive -i <backup name>

     Note: This function was added in QRadar 7.5.0 Update Package 1, and works only with backups that were created after updating to 7.5.0 Update Package 1.
   • New in 7.5.0 Update Package 6To backup data for an individual application instance, enter the following command:

     /opt/qradar/bin/app-volume-backup.py backup -u <app definition uuid>

     In a multitenant deployment, you must specify the security profile associated with the application instance that you want to backup. For example, /opt/qradar/bin/app-volume-backup.py backup -u <app definition uuid> -s <security profile id>

   • New in 7.5.0 Update Package 6To restore data for an individual application instance, enter the following command:

     /opt/qradar/bin/app-volume-backup.py restore -i <backup tarball> -n -u <app definition uuid>

     In a multitenant deployment, you must specify the security profile associated with the application instance that you want to restore. For example, /opt/qradar/bin/app-volume-backup.py restore -i <backup tarball> -n -u <app definition uuid> -s <security profile id>

   • By default, all backup archives are retained for one week. The retention process runs nightly at 2:30 AM local time with the backup.
     • To perform retention manually, and use the default retention period, enter the following command:

       ./app-volume-backup.py retention

     • You can also set the retention period manually by adding -t (time - defaults to 1) and -p (period - defaults to 0) switches.

       The -p switch accepts three values: 0 for a week, 1 for a day, and 2 for an hour.

       For example, to set the retention period for a backup to 3 weeks, enter the following command:

       ./app-volume-backup.py retention -t 3 -p 0

   • If you want to change the retention time that is used by the nightly timer, add flags to the retention command found in the following systemd service file.

     /usr/lib/systemd/system/app-data-backup.service

     For example, to change the retention period that is used by the nightly retention process to 5 days, locate the following line:

     ExecStart=/opt/qradar/bin/app-volume-backup.py retention

     Replace it with:

     ExecStart=/opt/qradar/bin/app-volume-backup.py retention -t 5 -p 1

     Save your changes, and run the systemctl daemon-reload command for systemd to apply the changes.

   App containers are restarted automatically after the restore is complete.