Moving backups to an NFS

You can configure Network File System (NFS) for a stand-alone QRadar appliance, or a QRadar appliance that you are making the primary host in an HA deployment.

Before you begin

You must ensure that the QRadar appliance can connect with the NFS server.

Important:

Maintain a local copy (backup.nfs) of your backup on your system so if the NFS mount fails the backups are still available. Monitor the directory that holds the local backups carefully to ensure the directory you use to hold your backups doesn't cause any disk storage issues.

About this task

Warning:

If you use NFS or a Windows share for offboard storage, your system can lock and cause an outage. This practice is not supported by IBM QRadar.

Even though the risk is low with a Linux OS, ransomware can encrypt all mounted remote drives. If you use an NFS mount, you can reduce your risk by mounting only the NFS drive while you copy data from a local drive to the NFS-mounted drive. Then, remove the NFS-mounted drive for daily operations.

If you choose to use NFS anyway, NFS can be used only for daily backup data, such as the /store/backup directory. You cannot use NFS for storing active data, which includes the PostgreSQL and ariel databases. If you do use NFS, it might cause database corruption or performance issues.

Procedure

  1. Run nightly backups to the local drive, /store/backup.
  2. Use SSH to log in to the QRadar host as the root user.
  3. Start NFS services by typing the following commands:
    systemctl enable rpcbind
    systemctl start rpcbind
    
  4. Add the following line to the /etc/fstab file.
    nfsserver:/nfs/export/path /store/backup nfs rw,soft,intr,noac 0 0

    You might need to adjust the settings for the NFS mount point to accommodate your configuration.

  5. Move your backup files from the existing directory to a temporary location by typing the following commands:
    cd /store/
    mv backup backup.local
  6. Create a new backup directory by typing the following command:
    mkdir /store/backup
  7. Set the permissions for the NFS volume by typing the following command:
    chown nobody:nobody /store/backup
  8. Mount the NFS volume by typing the following command:
    mount /store/backup

    The root user must have read and write access to the mounted NFS volume because the hostcontext process runs as root user.

    Use the local copy of your backup that you created. See, Important note.

  9. Verify that /store/backup is mounted by typing the following command:
    df -h
  10. Copy the backup files from the temporary location to the NFS volume by typing the following command:
    cp -f /store/backup.local/* /store/backup
  11. Verify the files by typing the following commands:
    sha256sum /store/backup.local/* > backuplocal.sha256.txt
    sha256sum /store/backup.nfs/* > backupnfs.sha256.txt
    diff backuplocal.sha256.txt backupnfs.sha256.txt
    

    If you see differences between the files, stop and determine the reason. One reason might be that your copy filled the destination partition, or another reason might be that there was a network outage during your copy procedure.

  12. After you verify the copy procedure was successful, remove the backup.local directory by typing the following commands:
    cd /store
    rm -r backup.local

    When you remove the backup.local directory, you prevent the local partition from filling.

What to do next

If you are setting up NFS for a new HA deployment, follow the instructions in Configuring a mount point for a secondary HA host for your secondary HA appliance.