Troubleshooting
Problem
When an administrator attempts to import a configuration backup that is corrupted, the backup is unable to be processed by QRadar, since it detects that the backup is not in a "gzip" or "tgz" format. The purpose of this article is to help the administrator troubleshoot the issue, and to verify the correct status of the backup.
Symptom
After an import attempt, the following error is found in the /var/log/qradar.log file in the console:
[hostcontext.hostcontext] [BackupServices_sync] com.q1labs.hostcontext.backup.BackupRecoveryEngine: [ERROR]
Cannot process inbound backup archive: backup.nightly.QRADAR01_53.13_09_2022.config.1663126258427.tgz. Move it to 'invalid' directory
QRADAR root:
QRADAR root: gzip: stdin: not in gzip format
QRADAR root: tar: Child returned status 1
QRADAR root: tar: Error is not recoverable: exiting now
QRADAR root: [backup.sh] ERROR: Failed to extract backup
[hostcontext.hostcontext] [Thread-180722] ComponentOutput: [ERROR][-/- -]ErrorStream backup_extract:
QRADAR root: [backup.sh] ERROR: Failed to extract backup
Cause
If the configuration backup fails to be extracted, the causes of failure of the configuration backup can stem from multiple possibilities, such as the following:
- The configuration backup in question is corrupted.
- The configuration backup is incorrectly formatted, and not in "gzip" or "tgz" format.
Diagnosing The Problem
The status and the file type of the configuration backup, can be verified with the file command by using the following steps:
- Use SSH to log in to the QRadar Console as the root user.
- Run the file command to verify the right format.
Note: When a backup fails to be imported, the file is moved to /store/store/backupHost/invalid/. In this article, this path is used as example.file /store/backupHost/invalid/backup.nightly.<BACKUP FILENAME>.tgz
Result
The following output shows the expected type information when the backup is not corrupted:/store/store/backupHost/invalid/backup.nightly.QRADAR01_53.13_09_2022.config.1663126258427.tgz: gzip compressed data, from Unix, last modified: Wed Oct 5 16:16:46 2022
/store/store/backupHost/invalid/backup.nightly.QRADAR01_53.13_09_2022.config.1663126258427.tgz: data
Resolving The Problem
Ensure that the backup file that is being imported, is in the correct format, and has a file type of ".gzip" or ".tgz" at the end of the file name.
- Use SSH to log in to the QRadar Console as the root user.
- Import the backup file to /store/backupHost/inbound/.
- Run the file command to verify the right format by following the steps in the Diagnosing the Problem section.
- Proceed with the backup restoration steps.
- Log in to the QRadar Console user-interface as an administrator user.
- On the navigation menu ( ), click Admin.
- In the System Configuration section, click Backup and Recovery.
- Close the Backup and Recovery window.
- Wait 1 minute.
- Click Backup and Recovery again.
- Verify the backup file shows in the user-interface.
Result
Administrator can now use the recently uploaded backup file to restore the configuration. If the backup file in question does not have either type of formatting, a different configuration backup with the correct format needs to be used.
If the backup import process fails with a different error, contact QRadar Support for assistance.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
14 March 2023
UID
ibm16841891