Verifying restored data

Verify that your data is restored correctly in IBM QRadar.

Procedure

  1. To verify that the files are restored, review the contents of one of the restored directories by typing the following command:

    cd /store/ariel/flows/payloads/<yyyy/mm/dd>

    cd /store/ariel/events/payloads/<yyyy/mm/dd>

    You can view the restored directories that are created for each hour of the day. If directories are missing, data might not be captured for that time period.

  2. Verify that the restored data is available.
    1. Log in to the QRadar interface.
    2. Click the Log Activity or Network Activity tab.
    3. Select Edit Search from the Search list on the toolbar.
    4. In the Time Range pane of the Search window, select Specific Interval.
    5. Select the time range of the data you restored and then click Filter.
    6. View the results to verify the restored data.
    7. If your restored data is not available in the QRadar interface, verify that data is restored in the correct location and file permissions are correctly configured.

      Restored files must be in the /store directory. If you typed cd instead of cd / when you extracted the restored files, check the /root/store directory for the restored files. If you did not change directories before you extracted the restored files, check the /store/backup/store directory for the restored files.

      Typically, files are restored with the original permissions. However, if the files are not owned by the root user account, issues might occur. The correct ownership of directories and files in /store/ariel/events/payloads and /store/ariel/flows/payloads is root:root. If the files and folders do not have the correct ownership, change the ownership by using the chown command.

      The correct permissions of directories and files in /store/ariel/events/payloads and /store/ariel/flows/payloads is 755 for folders, and 644 for files. If the files and folders do not have the correct permissions, change the permissions by using the chmod command.

What to do next

After you verified that your data is restored, you must complete an auto update in QRadar. The auto update ensures DSMs, vulnerability assessment (VA) scanners, and log source protocols are at the latest version. For more information, see c_tuning_guide_deploy_dsmupdates.html.