Backup and restore
To recover from any data loss that might occur, regularly back up your IBM® Security QRadar® EDR data. You can use the backup and restore process to support a disaster recovery that requires a redeployment of your environment.
About this task
When you install QRadar EDR, you configure a suitable storage class in the cluster. You support the configuration with one or more persistent volumes of suitable size. For more information about storage, see Storage requirements.
You provide secure storage for the backups that is mounted as a Persistent Volume Claim (PVC) in a pod. The backup and restore pod contains the necessary utilities for the backup and restore process. The backup and restore pod is deployed automatically as part of the installation or upgrade of QRadar EDR. By default the last 10 backups are kept for each data store.
Data store | Location | Backup file name |
---|---|---|
Cassandra | /opt/data/backup/cassandra | cassandra_backup_<YYYY_MM_DD__HH_MM_SS>.gz |
Elasticsearch | /opt/data/backup/elasticsearch | elasticsearch_backup_<YYYY_MM_DD__HH_MM_SS>.gz |
QRadar EDR | /opt/data/backup/reaqta | reaqta_backup_<YYYY_MM_DD__HH_MM_SS>.gz |
Postgres | /opt/data/backup/pg | pg_backup_default_<YYYY_MM_DD__HH_MM_SS>.gz |
Install Red Hat OpenShift CLI 4.14 or later
The Red Hat OpenShift CLI client helps you develop, build, deploy, and run your applications on any Red Hat OpenShift or Kubernetes cluster. It also includes the administrative commands for managing a cluster under the adm subcommand.
Procedure
Backing up data
Before you begin
You must have cluster administration privileges.
Procedure
Scheduling backup
QRadar EDR provides a support action to schedule data backup.
Before you begin
To access the schedule_cp4s_full_backup action, you must install the command-line interface (CLI) utility cpctl from the cp-serviceability pod. For more information, see Installing the cpctl utility to access support actions - update link.
About this task
The schedule_cp4s_full_backup action runs a Red Hat OpenShift Container Platform cron job that creates a backup regularly, according to your schedule.
Parameter | Default | Required | Description |
---|---|---|---|
--password |
none | Yes | A user-defined password that is used to encrypt the backup files, it is required during the restore process. This password cannot be recovered if it is lost. |
--token |
none | Yes | A token that the administrator generates by running oc whoami -t on the
local system. |
--schedule |
("0 0 * * */6") |
No | The cron job schedule that is used to set the schedule for the backup. |
--airgap |
none | No | The local registry URL that was used to deploy Cloud Pak for Security. |
--disable |
false | No | To disable (false) or enable (true) the scheduled backup. |
--keepfiles |
7 | No | To configure the backup file maintenance process. When the number of backup files that are maintained is greater than the value of this parameter, the oldest backup files are deleted. |
Procedure
Restoring data
When the restore process is completed, data is restored and the system returns to the state at the time of the backup.
Before you begin
You must have cluster administration privileges.
Because the Cassandra data store can be large, you might need to increase the memory used by the sstableloader process, or configure Cassandra to use the nodetool process.
- sstableloader
- If you are restoring Cassandara data to a different Red Hat OpenShift cluster, or to the same cluster but with a different number of Cassandra nodes, you must use sstableloader. Depending on the size of the backup, you might need to increase the memory that is allocated to sstableloader before you restore Cassandra data. For more information, see Increasing the memory for Cassandra restoration.
- nodetool
- If you are restoring Cassandra data to the same cluster and with the same number of Cassandra nodes, use nodetool. For more information, see Configuring Cassandra restoration to use Nodetool
Procedure
Results
After the restore is complete, allow up to 15 minutes for pods to complete the restart operations. If the first attempt at restoring the system is not successful for any reason, the full restore procedure can be run again without any impact.
What to do next
Increasing the memory for Cassandra restoration
Procedure
What to do next
oc delete -f <file_name>
oc get pods -l name=reaqta-hive-event-hive -n <qradar_edr_namespace>
Configuring Cassandra restoration to use Nodetool
Procedure
What to do next
oc delete -f <file_name>
oc get pods -l name=reaqta-hive-event-hive -n <qradar_edr_namespace>