Each backup archive includes the IP address information of the system where it was
created. When you restore a backup archive from a different IBM®
QRadar® system, the IP address of
the backup archive and the system that you are restoring are mismatched. You can correct the
mismatched IP addresses.
About this task
You can restart the Console only after the restore process is complete. The restore process can
take up to several hours; the process time depends on the size of the backup archive that must be
restored. When complete, a confirmation message is displayed.
A window provides the status of the restore process, and provides any errors for each host and
instructions for resolving the errors.
Procedure
-
On the
navigation menu (
), click
Admin.
-
In the System Configuration section, click Backup and
Recovery.
-
Select the archive that you want to restore, and click Restore.
-
On the Restore a Backup window, configure the following parameters and
then click Restore.
Table 1. Restore a Backup parameters
Parameter |
Description |
Select All Configuration Items |
Indicates that all configuration items are included in the restoration of the backup archive.
This checkbox is selected by default. |
Restore Configuration |
Lists the configuration items to include in the restoration of the backup archive. All items are
selected by default.
|
Select All Data Items |
Indicates that all data items are included in the restoration of the backup archive. This
checkbox is selected by default.
|
Restore Data |
Lists the configuration items to include in the restoration of the backup archive. All items are
cleared by default.
|
-
Stop the IP table service on each managed host in your deployment. The IP tables is a Linux®-based firewall.
-
Using SSH, log in to the managed host as the root user.
-
For App Host, type the following commands:
systemctl stop
docker_iptables_monitor.timer
systemctl stop
iptables
- For all other managed hosts, type the following command:
service
iptables stop
-
Repeat for all managed hosts in your deployment.
- Ensure that the power is off on the original QRadar console that the backup was taken
from.
-
On the Restore a Backup window, click Test
Hosts Access.
-
After testing is complete for all managed hosts, verify
that the status in the Access Status column
indicates a status of OK.
-
If the Access Status column indicates
a status of No Access for a host, stop iptables
again, and then click Test Host Access again
to attempt a connection.
-
On the Restore a Backup window, configure
the parameters.
Important: By selecting the Installed Applications Configuration
checkbox, you restore the install app configurations only. Extension configurations are not
restored. Select the Deployment Configuration checkbox if you want to restore
extension configurations.
-
Click Restore.
-
Click OK.
-
Click OK to log in.
-
Choose one of the following options:
- If the user interface was closed during the user restore process, open a web browser and log
in to QRadar.
- If the interface was not closed, the login window is displayed. Log in to QRadar.
-
View the results of the restore process and follow the
instructions to resolve any errors.
-
Refresh your web browser window.
-
From the Admin tab, select
.
QRadar continues
to collect events when you deploy the full configuration. When the event collection service must
restart, QRadar does not
restart it automatically. A message displays that gives you the option to cancel the deployment and
restart the service at a more convenient time.
- To enable the IP tables for an App Host, type the following
command:
systemctl start docker_iptables_monitor.timer
What to do next
After you verify that your data is restored to your system,
you must reapply RPMs for any DSMs, vulnerability assessment (VA)
scanners, or log source protocols.
If the backup archive originated
on an HA cluster, you must click Deploy Changes to
restore the HA cluster configuration after the restore is complete.
If disk replication is enabled, the secondary host immediately synchronizes
data after the system is restored. If the secondary host was removed
from the deployment after a backup, the secondary host displays a
failed status on the System and License Management window.