Hi 
Can i do a backup of the logs of a log source?
Thanks for the help

------------------------------
Johan López
------------------------------

Hi Johan,
   Sure you can - look in the backup & restore widget in the admin tab, the data option is used for backing up the event data sent into QRadar.

Cheers
Brian​

------------------------------
Brian Robertson
------------------------------

Original Message:
Sent: Fri August 23, 2019 02:10 PM
From: Johan López
Subject: Logs BackUp

Hi 
Can i do a backup of the logs of a log source?
Thanks for the help

------------------------------
Johan López
------------------------------

Hi Brian,

what you've suggested will only work for the console configurations, and not the log data. The log backups, as well as the flow backups, are scheduled to run once a day at midnight if they are well configured. The backup consists of the previous day (24h) of log collection.

The backup files are found in /store/backup.
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_qradar_adm_man_back_recovery.html
If you don't see any Data backups, this means that the configurations are incorrect. Go to "Admin > Backup & Restore > Configure", and select the option "Configuration and Data backups".

Reminder:
A manual backup, will only work for the console configurations.
Data backups are only scheduled and can't be forced from the GUI.

Workaround:
There's always a way to obtain what you want in IT. You could go into your /store, find the day of the data you want to backup, zip it, then move the zip in a safe place. Although, you won't be able to backup the logs of a single logs source, if that was your question Johan. It's all or nothing.

Last Resort (not really a legit backup):
Create a search with your log source, then save the result as a file, and voilà! I haven't tried reloading logs exported that way.

Anyhow,
you should go through the Backup and Restore link above for more details.

Regards,

edit: For other types of configuration backups, you can use the script:
/opt/qradar/bin/contentManagement.pl
Go in the help menu for more details of what you can export-import in the configurations..

------------------------------
Anthony Gayadeen, Videotron Ltd
Montreal QC
------------------------------

Original Message:
Sent: Fri August 23, 2019 02:10 PM
From: Johan López
Subject: Logs BackUp

Hi
Can i do a backup of the logs of a log source?
Thanks for the help

------------------------------
Johan López
------------------------------

​

Hi There,

to complement Anthonys idea:

If the workaround is about files in /store/ariel then you should have the ability to separate logs from a specific log source. As far that i know, if you set up an retention bucket (Admin -> Data Sources -> Events -> Event Retention), files which belog to that bucket have the bucket-Number (from ~1 – ~10) at the end oft he file-name.

One thing that i doesn't know is whether and how it is possible to use this files later on when it's needed.  

------------------------------
not theadmin
------------------------------

Original Message:
Sent: Sun September 22, 2019 11:52 PM
From: Anthony Gayadeen
Subject: Logs BackUp

Hi Brian,

what you've suggested will only work for the console configurations, and not the log data. The log backups, as well as the flow backups, are scheduled to run once a day at midnight if they are well configured. The backup consists of the previous day (24h) of log collection.

The backup files are found in /store/backup.
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_qradar_adm_man_back_recovery.html
If you don't see any Data backups, this means that the configurations are incorrect. Go to "Admin > Backup & Restore > Configure", and select the option "Configuration and Data backups".

Reminder:
A manual backup, will only work for the console configurations.
Data backups are only scheduled and can't be forced from the GUI.

Workaround:
There's always a way to obtain what you want in IT. You could go into your /store, find the day of the data you want to backup, zip it, then move the zip in a safe place. Although, you won't be able to backup the logs of a single logs source, if that was your question Johan. It's all or nothing.

Last Resort (not really a legit backup):
Create a search with your log source, then save the result as a file, and voilà! I haven't tried reloading logs exported that way.

Anyhow,
you should go through the Backup and Restore link above for more details.

Regards,

edit: For other types of configuration backups, you can use the script:
/opt/qradar/bin/contentManagement.pl
Go in the help menu for more details of what you can export-import in the configurations..

------------------------------
Anthony Gayadeen, Videotron Ltd
Montreal QC

Original Message:
Sent: Fri August 23, 2019 02:10 PM
From: Johan López
Subject: Logs BackUp

Hi
Can i do a backup of the logs of a log source?
Thanks for the help

------------------------------
Johan López
------------------------------