Hi Brian,
what you've suggested will only work for the console configurations, and not the log data. The log backups, as well as the flow backups, are scheduled to run once a day at midnight if they are well configured. The backup consists of the previous day (24h) of log collection.
The backup files are found in
/store/backup.
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_qradar_adm_man_back_recovery.htmlIf you don't see any Data backups, this means that the configurations are incorrect. Go to "
Admin > Backup & Restore > Configure", and select the option "
Configuration and Data backups".
Reminder:
A manual backup, will only work for the console configurations.
Data backups are only scheduled and can't be forced from the GUI.
Workaround:
There's always a way to obtain what you want in IT. You could go into your /store, find the day of the data you want to backup, zip it, then move the zip in a safe place. Although, you won't be able to backup the logs of a
single logs source, if that was your question Johan. It's all or nothing.
Last Resort (not really a legit backup):
Create a search with your log source, then save the result as a file, and voilà! I haven't tried reloading logs exported that way.
Anyhow,
you should go through the Backup and Restore link above for more details.
Regards,
edit: For other types of configuration backups, you can use the script:
/opt/qradar/bin/contentManagement.pl
Go in the help menu for more details of what you can export-import in the configurations..
------------------------------
Anthony Gayadeen, Videotron Ltd
Montreal QC
------------------------------
Original Message:
Sent: Fri August 23, 2019 02:10 PM
From: Johan López
Subject: Logs BackUp
Hi
Can i do a backup of the logs of a log source?
Thanks for the help
------------------------------
Johan López
------------------------------