IBM Support

QRadar: How to restore specific application's data

How To


Summary

QRadar Applications backup runs nightly at 2:30 AM. This backup is used to restore all application data. There are specific situations where it is required to restore the data of only one application.

This article provides a list of steps to restore specific applications by extracting only the folder of the application from the selected nightly backup file and replacing the application folder on this location /store/docker/volumes.

Objective

This article instructs administrators on how to restore data of specific applications currently installed or removed within the last 7 days.

Steps

For readability, the content in this technical note is divided in to the following categories:

  Before you begin

  Step 1: Preparing the environment

  Step 2: Restore the application data

  Step 3: Remove leftovers

Before you begin

IMPORTANT: This procedure requires the following Linux skills:
  • Navigating through folders by using the cd command
  • Handling compressed files by using tar command
  • Moving files and folders by using mv command
  • Restarting applications by using the qappmanager utility
If you are not comfortable enough to run the commands, contact QRadar Support for assistance.

Step 1: Preparing the environment

This section is mandatory since the application to be restored, must be in STOPPED state. In this article, the application to be restored is the Pulse App with Instance ID 1001.
  1. Use SSH to log in to the QRadar Console as the root user.
  2. Run the qappmanager utility to get the Instance ID of the application to restore and stop the application.
    1. Obtain the Instance ID. The following example displays the Instance ID 1001. 
      ​APP INSTANCES (IID=Instance ID, DID=Definition ID, MHN=Managed Host Name, AHT=Application Host Type, SP=Security Profile):
 IID  | DID  | Name                                    | Status  | Task Status | Installed        | MHN             | AHT   | Memory | SP | Errors
---------------------------------------------------------------------------------------------------------------------------------------------------
 1001 | 1001 | pulse.full_name                         | STOPPED | COMPLETED   | 2021-09-07 15:55 | Console01 | LOCAL |    350 |    |
​
    2. Stop the application by using the option 24.

      Result
      The application to be restored is stopped and backup data can be restored.

Step 2: Restore the application data

The following steps guide administrators to identify and restore the application data from the backups inside /store/apps/backup.
  1. Use SSH to log in to the QRadar Console as the root user.
  2. Optional. If the applications are running on the App Host, administrators must use SSH to log in to the App Host.
  3. Access the persistent data folder and list its contents: 
    cd /store/docker/volumes
ll
    Output example: 
    [root@Console01 ~]# cd /store/docker/volumes/

[root@Console01 volumes]# ll
drwxr-xr-x 3 nobody nobody 127 Aug  3 10:34 qapp-1001
  4. Move the current data folder to a backup location. 
    mkdir -p /store/IBM_Support
mv qapp-XXXX /store/IBM_Support/
    Output example: 
    [root@Console01 volumes]# mv qapp-1001 /store/IBM_Support/
  5. Create a folder with the same ID: 
    mkdir qapp-XXXX
    Output example: 
    [root@Console01 volumes]# mkdir qapp-1001
  6. Access the backup folder: 
    [root@Console01 volumes]# cd /store/apps/backup
  7. List the existing files and choose which backup file from the specific date you want to use to restore the data. 
    [root@Console01 backup]# ll
total 9651916
-rw-r--r-- 1 root root  100397618 Nov 15 02:31 backup.apps-volumes.all.1668501006.tgz
-rw-r--r-- 1 root root   98391887 Nov 16 02:31 backup.apps-volumes.all.1668587403.tgz
-rw-r--r-- 1 root root  668537535 Nov 17 02:42 backup.apps-volumes.all.1668673807.tgz
  8. View the contents of the file from the chosen date: 
    tar -tf backup.apps-volumes.all.XXXXXXXXXX.tgz
    The following output displays the backup file from 15 November 2022. 
    [root@Console01 backup]# tar -tf backup.apps-volumes.all.1668501006.tgz
backup.apps-volumes.all.1668501006/1001.tgz
backup.apps-volumes.all.1668501006/1002.tgz
backup.apps-volumes.all.1668501006/1003.tgz
  9. Extract the specific file with the name of the wanted application ID: 
    tar -xzvf backup.apps-volumes.all.XXXXXXXXXX.tgz backup.apps-volumes.all.XXXXXXXXXX/XXXX.tgz
    Output example: 
    [root@Console01 backup]# tar -xzvf backup.apps-volumes.all.1668501006.tgz backup.apps-volumes.all.1668501006/1001.tgz
< verbose output omitted >
  10. Access the newly created folder. 
    ll
cd backup.apps-volumes.all.XXXXXXXXXX
    The following output displays the newly created directory "backups.apps-volumes.all.1668501006". 
    [root@Console01 backup]# ll
drwxr-xr-x 2 root root         30 Nov 21 18:45 backup.apps-volumes.all.1668501006
[root@Console01 backup]# cd backup.apps-volumes.all.1668501006
[root@Console01 backup.apps-volumes.all.1668501006]# ll
-rw-r--r-- 1 root root 402609 Nov 15 02:31 1001.tgz
  11. Extract the contents of the compressed file to the persistent data folder that was created in step 6 and list its contents: 
    tar -xzvf XXXX.tgz -C /store/docker/volumes/qapp-XXXX
cd /store/docker/volumes/qapp-XXXX
ll
    Output example: 
    [root@Console01 backup.apps-volumes.all.1668501006]# tar -xzvf 1001.tgz -C /store/docker/volumes/qapp-1001
[root@Console01 backup.apps-volumes.all.1668501006]# cd /store/docker/volumes/qapp-1001
[root@Console01 qapp-1001]# ll
-rwxr-xr-x 1 nobody nobody     220 Aug  3 10:34 appConfig.json
-rw-r--r-- 1 nobody nobody  307200 Aug  3 10:34 app.db
-rw-r--r-- 1 nobody nobody      24 Aug  3 10:34 configVersion.json
drwxr-xr-x 2 nobody nobody    4096 Aug  3 10:27 log
-rw-r--r-- 1 nobody nobody 3317760 Aug  3 10:34 searchResults.db
    The date of the listed files reflects the date when the files were backed up.
     
  12. Start the application by using the option 23 of the qappmanager tool.

    Result
    The application data is restored from the backup file of the chosen date.

Step 3: Remove leftovers

Administrators can run these steps optionally to remove unnecessary directories and files.
  1. Use SSH to log in to the QRadar Console as the root user.
  2. Optional. If the applications are running on the App Host, administrators must use SSH to log in to the App Host.
  3. Go back to the backup folder and remove the folder that was created in step 9: 
    cd /store/apps/backup
ll
rm -rf backup.apps-volumes.all.XXXXXXXXXX/
    Output example: 
    [root@Console01 qapp-1001]# cd /store/apps/backup
[root@Console01 backup]# ll
drwxr-xr-x 2 root root         30 Nov 21 18:45 backup.apps-volumes.all.1668501006
[root@Console01 backup]# rm -rf backup.apps-volumes.all.1668501006/
    Note: The previous command deletes the folder extracted and not the backup file with the extension '.tgz'.

    Result
    The temporary directories and files created for the restoration are removed of the system.
What to do next
If the procedure didn't work, the administrators can contact support, QRadar Support for assistance.

Related Information

Backup and restore applications

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
30 November 2022

UID

ibm16825033

Page Feedback