IBM Support

QRadar: Importing a backup fails with error "Failed to extract backup"

Troubleshooting


Problem

When an administrator attempts to import a configuration backup that is corrupted, the backup is unable to be processed by QRadar, since it detects that the backup is not in a "gzip" or "tgz" format. The purpose of this article is to help the administrator troubleshoot the issue, and to verify the correct status of the backup.

Symptom

After an import attempt, the following error is found in the /var/log/qradar.log file in the console:
[hostcontext.hostcontext] [BackupServices_sync] com.q1labs.hostcontext.backup.BackupRecoveryEngine: [ERROR]
Cannot process inbound backup archive: backup.nightly.QRADAR01_53.13_09_2022.config.1663126258427.tgz. Move it to 'invalid' directory
QRADAR root:
QRADAR root: gzip: stdin: not in gzip format
QRADAR root: tar: Child returned status 1
QRADAR root: tar: Error is not recoverable: exiting now
QRADAR root: [backup.sh] ERROR: Failed to extract backup
[hostcontext.hostcontext] [Thread-180722] ComponentOutput: [ERROR][-/- -]ErrorStream backup_extract: 
QRADAR root: [backup.sh] ERROR: Failed to extract backup

Cause

If the configuration backup fails to be extracted, the causes of failure of the configuration backup can stem from multiple possibilities, such as the following:
  • The configuration backup in question is corrupted.
  • The configuration backup is incorrectly formatted, and not in "gzip" or "tgz" format.

Diagnosing The Problem

The status and the file type of the configuration backup, can be verified with the file command by using the following steps:

  1. Use SSH to log in to the QRadar Console as the root user.
  2. Run the file command to verify the right format.
    Note: When a backup fails to be imported, the file is moved to /store/store/backupHost/invalid/. In this article, this path is used as example.
    file /store/backupHost/invalid/backup.nightly.<BACKUP FILENAME>.tgz

    Result
    The following output shows the expected type information when the backup is not corrupted:
    /store/store/backupHost/invalid/backup.nightly.QRADAR01_53.13_09_2022.config.1663126258427.tgz:
     gzip compressed data, from Unix, last modified: Wed Oct  5 16:16:46 2022
    The following output shows an example of bad information when the backup is corrupted:
    /store/store/backupHost/invalid/backup.nightly.QRADAR01_53.13_09_2022.config.1663126258427.tgz: data

Resolving The Problem

Ensure that the backup file that is being imported, is in the correct format, and has a file type of ".gzip" or ".tgz" at the end of the file name.
  1. Use SSH to log in to the QRadar Console as the root user.
  2. Import the backup file to /store/backupHost/inbound/.
  3. Run the file command to verify the right format by following the steps in the Diagnosing the Problem section.
  4. Proceed with the backup restoration steps.
    1. Log in to the QRadar Console user-interface as an administrator user.
    2. On the navigation menu ( Navigation menu icon ), click Admin.
    3. In the System Configuration section, click Backup and Recovery.
    4. Close the Backup and Recovery window.
    5. Wait 1 minute.
    6. Click Backup and Recovery again.
  5. Verify the backup file shows in the user-interface.
    Backup-and-Recovery-window-1

    Result
    Administrator can now use the recently uploaded backup file to restore the configuration. If the backup file in question does not have either type of formatting, a different configuration backup with the correct format needs to be used.

    If the backup import process fails with a different error, contact QRadar Support for assistance.
     

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
14 March 2023

UID

ibm16841891