Restoring SOAR Platform from a soarSystemBackup file

To restore a soarSystemBackup backup, you must use the soarSystemRestore command. If the backup is encrypted, you must supply the passphrase file to restore the system.

Before you begin

You can restore a backup to the same or different SOAR Platform system, but they must be compatible. The system that you are restoring to must be at the same version as the backup system. You cannot restore a backup from a non-FIPS compliant platform to a FIPS-compliant platform.

About this task

If you are restoring an online backup, updates that occurred during the backup process are automatically reconciled during the restore process. The restore process requires more time to complete while the system reconciles the attachments, and the SOAR Platform services restart only after the attachment reconciliation is complete.

In the attachment reconciliation process, the database is considered the single source of the truth, and attachment discrepancies fall into one of the following categories.
  • An attachment is present in the database, but it cannot be found in the file system.
  • An attachment is present in the file system, but it cannot be found in the database.
  • An attachment is present in both the database and the file system, but the file contents are different.

After the attachment reconciliation process is complete, the SOAR Platform services are restarted, and the Elasticsearch indexes are updated. While the indexes are updating, users can run a search, but the results might show stale data until the re-indexing process is complete. To minimize the impact, new incidents are updated first.

Procedure

  1. To restore an unencrypted backup, type this command.
    sudo soarSystemRestore -f /crypt/backups/<soar-system-backup-filename>.tar
  2. To restore an encrypted backup, type this command:
    sudo soarSystemRestore -f /crypt/backups/<soar-system-backup-filename>.tar -p /usr/share/co3/conf/backup_passphrase

What to do next

If you restored an online backup, review the /var/log/soar_backup/reconcileAttachments.log file to view the results of the attachment reconciliation process.

  • This message shows the attachment reconciliation summary:
    2022-10-20T03:01:51.977 [main] INFO c.i.r.r.AttachmentMismatchResolver - Reconciliation completed, 1 files missed, 1 database records missed, and 1 files digest mismatched.
  • This message indicates that an attachment is present in the file system, but it cannot be found in the database.
    2022-10-20T03:01:51.978 [main] DEBUG c.i.r.r.AttachmentMismatchResolver - Move 1 files to /crypt/attachments/_movedByReconciliation/1. They are not referenced by database anymore, you can safely delete them.

    The file attachments are moved to the /crypt/attachments/_movedByReconciliation folder so that an administrator can review the files and delete them manually.

  • This message indicates that the attachment is found in the database, but it cannot be found in the file system, or the file might be corrupted.
    2022-10-20T03:01:52.024 [main] DEBUG c.i.r.r.AttachmentMismatchResolver - Unable to read the artifact attachment file '<name>.txt' (id=1) of Incident '<name>' (id=2095) in organization 201. You may want to delete that artifact attachment.
    
    2022-10-20T03:01:52.024 [main] DEBUG c.i.r.r.AttachmentMismatchResolver - Unable to read the attachment file '<filename>.txt' (id=2) of Task '<name>' (id=2) in organization 201. You may want to delete that task attachment.

    You can use the information in the message to find the attachment in the SOAR Platform and delete it.