IBM Support

QRadar: How to use the manual data backup script to create missed backups

How To


Summary

How can administrators use the manual data backup script to better ensure data is archived?

Objective

This script allows failed data backups, or backups removed by the backup retention policies, to manually rerun the backup for any day, and populate the backup and recovery user interface with the missing days backup. 
Note: This method is not a substitute for the original backup and restore methods, and must be only used if required.

Environment

With automatic updates enabled or latest weekly update bundle applied.
QRadar Manual Data Backup tool Version 1.0

Steps

When the script is run, a backup is generated, and placed in /store/backupHost/inbound to be processed.
Important information about the script.
 
  • The script cannot be used to obtain the current day data. It fails with error:
    ​ERROR: The date cannot be today or in the future.
  • The script cannot be used to obtain the configuration backup. Instead, run an on-demand configuration backup.
  1. SSH to the Console, then if required, to the managed host you want to back up.
  2. Run the manual_data_backup.sh script.
    /opt/qradar/support/manual_data_backup.sh
    Output example:
    This script is intented to create data backups manually. The backup will be created under /store/backupHost/inbound/
    Please go to the Backup and recovery page to process this backup and have it show up in the UI.
    	-Providing the -b parameter with a date format of yyyymmdd. Example -b 20220411.
    	-The -h option will print this help. The -v will print the version.
  3. Run the following command to initialize a backup:
    /opt/qradar/support/manual_data_backup.sh -b <yyyymmdd date time stamp> 
    Replace <yyyymmdd date time stamp> with the chosen date. For example, to generate a backup from 27 October 2022, use:
    /opt/qradar/support/manual_data_backup.sh -b 20221027
    Output example:
    Creating backup /store/backupHost/inbound//backup.custom.<hostname>_53.27_10_2022.data.1666987982000.tgz ...
    Fri Oct 28 14:14:57 CST 2022 [backup.sh] OK: Backup processed
    
  4. Verify the backup is in /store/backupHost/inbound. The backup obtained by the script has the word "custom" in its name.
    ls -l /store/backupHost/inbound/
    Output example:
    -rw-r--r-- 1 root   root   885428198 Oct 28 14:14 backup.custom.qr-console_53.27_10_2022.data.1666987982000.tgz
    drwxr-xr-x 2 nobody nobody        10 Sep  7  2021 keys
    
  5. Log in to the QRadar Console as an admin.
  6. On the navigation menu ( Navigation menu icon ), click Admin.
  7. Click Backup and Recovery menu and refresh the page.

    Result
    This refresh causes the backup files to be imported and be seen in the menu.Figure01
     

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.4.0;7.5.0"}]

Document Information

Modified date:
06 February 2023

UID

ibm16831239