Restoring data

You can restore the data on your IBM® QRadar® Console and managed hosts from backup files. The data portion of the backup files includes information such as source and destination IP address information, asset data, event category information, vulnerability data, flow data, and event data.

Each managed host in your deployment, including the QRadar Console, creates all backup files in the /store/backup/ directory. Your system might include a /store/backup mount from an external SAN or NAS service. External services provide long term, offline retention of data, which is commonly required for compliancy regulations, such as PCI.

Before you begin

Restriction: If you are restoring data on a new QRadar Console, the configuration backup must be restored before you restore the data backup.

Ensure that the following conditions are met:

  • You know the location of the managed host where the data is backed up.
  • If your deployment includes a separate mount point for that volume, the /store or /store/ariel directory has sufficient space for the data that you want to recover.
  • You know the date and time for the data that you want to recover.
  • If your configuration has been changed, before you restore the data backup, you must restore the configuration backup.

Procedure

  1. Use SSH to log in to IBM QRadar as the root user.
  2. Go to the /store/backup directory.
  3. To list the backup files, type the following command:

    ls -l

  4. If backup files are listed, go to the root directory by typing the following command:

    cd /

    Important: The restored files must be in the /store directory. If you type cd instead of cd /, the files are restored to the /root/store directory.
  5. To extract the backup files to their original directory, type the following command:

    tar -zxpvPf /store/backup/backup.name.hostname_hostID .target date.backup type.timestamp.tgz

    Table 1. Description of file name variables
    File name variable Description
    name The name of the backup.
    hostname_hostID The name of the QRadar system that hosts the backup file followed by the identifier for the QRadar system.
    target date The date that the backup file was created. The format of the target date is day_month_year.
    backup type The options are data or config.
    timestamp The time that the backup file was created.

Results

Daily backup of data captures all data on each host. If you want to restore data on a managed host that contains only event or flow data, only that data is restored to that host. If you want to maintain the restored data, increase your data retention settings to prevent the nightly disk maintenance routines from deleting your restored data.