Restoring a backup archive created on a different QRadar system

Each backup archive includes the IP address information of the system where it was created. When you restore a backup archive from a different IBM® QRadar® system, the IP address of the backup archive and the system that you are restoring are mismatched. You can correct the mismatched IP addresses.

About this task

You can restart the Console only after the restore process is complete. The restore process can take up to several hours; the process time depends on the size of the backup archive that must be restored. When complete, a confirmation message is displayed.

A window provides the status of the restore process, and provides any errors for each host and instructions for resolving the errors.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the System Configuration section, click Backup and Recovery.
  3. Select the archive that you want to restore, and click Restore.
  4. On the Restore a Backup window, configure the following parameters and then click Restore.
    Table 1. Restore a Backup parameters
    Parameter Description
    Select All Configuration Items Indicates that all configuration items are included in the restoration of the backup archive. This checkbox is selected by default.
    Restore Configuration

    Lists the configuration items to include in the restoration of the backup archive. All items are selected by default.
    Select All Data Items

    Indicates that all data items are included in the restoration of the backup archive. This checkbox is selected by default.

    Restore Data

    Lists the configuration items to include in the restoration of the backup archive. All items are cleared by default.
  5. Stop the IP table service on each managed host in your deployment. The IP tables is a Linux®-based firewall.
    1. Using SSH, log in to the managed host as the root user.
    2. For App Host, type the following commands:
      systemctl stop docker_iptables_monitor.timer
      systemctl stop iptables
    3. For all other managed hosts, type the following command:
      service iptables stop
    4. Repeat for all managed hosts in your deployment.
  6. Ensure that the power is off on the original QRadar console that the backup was taken from.
  7. On the Restore a Backup window, click Test Hosts Access.
  8. After testing is complete for all managed hosts, verify that the status in the Access Status column indicates a status of OK.
  9. If the Access Status column indicates a status of No Access for a host, stop iptables again, and then click Test Host Access again to attempt a connection.
  10. On the Restore a Backup window, configure the parameters.
    Important: By selecting the Installed Applications Configuration checkbox, you restore the install app configurations only. Extension configurations are not restored. Select the Deployment Configuration checkbox if you want to restore extension configurations.
  11. Click Restore.
  12. Click OK.
  13. Click OK to log in.
  14. Choose one of the following options:
    • If the user interface was closed during the user restore process, open a web browser and log in to QRadar.
    • If the interface was not closed, the login window is displayed. Log in to QRadar.
  15. View the results of the restore process and follow the instructions to resolve any errors.
  16. Refresh your web browser window.
  17. From the Admin tab, select Advanced > Deploy Full Configuration.
    QRadar continues to collect events when you deploy the full configuration. When the event collection service must restart, QRadar does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.
  18. To enable the IP tables for an App Host, type the following command:
    systemctl start docker_iptables_monitor.timer

What to do next

After you verify that your data is restored to your system, you must reapply RPMs for any DSMs, vulnerability assessment (VA) scanners, or log source protocols.

If the backup archive originated on an HA cluster, you must click Deploy Changes to restore the HA cluster configuration after the restore is complete. If disk replication is enabled, the secondary host immediately synchronizes data after the system is restored. If the secondary host was removed from the deployment after a backup, the secondary host displays a failed status on the System and License Management window.