Restoring data
You can restore the data on your IBM® QRadar® Console and managed hosts from backup files. The data portion of the backup files includes information such as source and destination IP address information, asset data, event category information, vulnerability data, flow data, and event data.
Each managed host in your deployment, including the QRadar Console, creates all backup files in the /store/backup/ directory. Your system might include a /store/backup mount from an external SAN or NAS service. External services provide long term, offline retention of data, which is commonly required for compliancy regulations, such as PCI.
Before you begin
Ensure that the following conditions are met:
- You know the location of the managed host where the data is backed up.
- If your deployment includes a separate mount point for that volume, the /store or /store/ariel directory has sufficient space for the data that you want to recover.
- You know the date and time for the data that you want to recover.
- If your configuration has been changed, before you restore the data backup, you must restore the configuration backup.
Procedure
Results
Daily backup of data captures all data on each host. If you want to restore data on a managed host that contains only event or flow data, only that data is restored to that host. If you want to maintain the restored data, increase your data retention settings to prevent the nightly disk maintenance routines from deleting your restored data.