IBM QRadar

QRadar Console-Only Apps Restore Solution Through Data Synchronization App 
 

Written by Jaimin Rupani and Dishaben Chauhan. 
 

What is the QRadar Console-Only Apps restore solution Through Data Synchronization App? 

In the event of a disaster such as data loss, corruption, system failure, or a ransomware attack, having a strong backup and restore strategy is essential to enable rapid data recovery and maintain business continuity.  
 
Apps restore is the process of recovering the QRadar Apps, its configuration, and data from backups or replicas so it can resume normal operations. 

In QRadar, restoring apps is slightly different from restoring core system data because apps run in containers and store their data separately on the Console or App Host (depending on your setup). 
 

Each app’s data is stored in: 
/store/docker/volumes/ 
 
Each app has its own unique subdirectory (based on its UUID). 
/store/docker/volumes/qapp-00001-QRadarAssistant/ 
/store/docker/volumes/qapp-00002-PulseDashboard/ 
 

QRadar App Restore - Evolution Overview 

Earlier, QRadar administrators had to restore apps manually — meaning: 

That process was time-consuming and error-prone, especially after a disaster recovery or migration. 

Now, App Restore Supported via Console (Data Syncronization App Integration) 

Starting with modern QRadar versions (7.5.0 Update Package 13 and later), IBM introduced an enhanced app restore feature with Data Syncronization App v3.2.2 that is automated and managed directly through the QRadar Console. 

 
Note: In the console-only setup, apps restoration is supported when the apps are hosted on the console for appliance type setup (QRadar 7.5.0 Update Package 13 onwards and software type setup (QRadar 7.5.0 Update Package 14 onwards). The apps restoration is not currently supported for apps hosted on an App Host and is expected in future scope releases. 

Easy UI set up wizard 
 
The app includes an intuitive setup wizard that walks users step-by-step through the configuration of both the Main and Destination sites. 
 
The main site configuration includes an App Restoration option, which becomes available only after the Console-only configuration is enabled. 
 

When the App Restoration feature is enabled, QRadar continuously takes scheduled backups of all app volumes and synchronizes them to the DR site. In the event of a failover or DR activation, the DSApp (Data Synchronization App) automatically restores these applications on the DR console from the most recent synchronized backup, enabling a seamless transition and quick service recovery. 

Once activating DR site, DR site restoration gets started. After successful config restoration, apps are getting restored on DR site. 

All the apps available on DC site are restored on DR site as per above diagram. 

App volume backup generate procedure 

The app-volume-backup.py script runs automatically every night at 2:30 AM local time to back up all installed applications. 
The generated backup archives are stored in the following directory: 
 
If needed, a user can also manually generate the latest app volume backup using the steps below: 

This command creates a new backup archive in the /store/apps/backup/ folder, containing the most recent application data and configurations. 
 
There is auto transfer mechanism for backup transfer however you can manually transfer the app volume backup from the main site console to the destination site console by running the following command on the main site console. 
             systemctl start app_sync 
 
When a restoration process is initiated, the system automatically identifies and uses the most recent app volume backup available on the disaster site to restore all applications, ensuring minimal data loss and up-to-date recovery. 
 

Once the restoration process is in progress, the system automatically notifies the user with a detailed status message, providing clear information about the restoration progress and completion, as shown in the screen below.