IBM QRadar

 View Only

 Help with event data recovery

Taofeek Isiaka-Aliagan's profile image
Taofeek Isiaka-Aliagan posted Thu May 29, 2025 05:09 AM

There was an incident where where 5 months of event data was purged during an appliance migration project due to the default retention period on the new appliance. Is it possible to use the logrun.pl utility to feed the historical raw logs back into the QRadar platform in our data recovery efforts and the most important part being that we want the QRadar to work with the original timestamp in the logs and not the present time. This will ensure historical correlation for our client. Also, is there any other way to acheive this?

I would appreciate any help

Karl Jaeger's profile image
Karl Jaeger IBM Champion

Hi. most of the answers possible you have given yourself already. Logrun.pl will not allow you to change the log events time stamps. What you can do, is use historic hostnames when processing your historic event files, which will cause the events to show up mapped to special historic devices, e.g. palo-alto-events-jan25. To make sure no new offenses get generated by QRadar you can use a falsepos rule in order to prevent that from happening.