IBM Security QRadar

 View Only
  • 1.  Logs BackUp

    Posted Fri August 23, 2019 02:11 PM
    Hi 
    Can i do a backup of the logs of a log source?
    Thanks for the help

    ------------------------------
    Johan López
    ------------------------------


  • 2.  RE: Logs BackUp

    Posted Mon August 26, 2019 01:06 AM
    Hi Johan,
       Sure you can - look in the backup & restore widget in the admin tab, the data option is used for backing up the event data sent into QRadar.

    Cheers
    Brian​

    ------------------------------
    Brian Robertson
    ------------------------------



  • 3.  RE: Logs BackUp

    Posted Sun September 22, 2019 11:52 PM
    Edited by Anthony Gayadeen Sun September 22, 2019 11:55 PM
    Hi Brian,

    what you've suggested will only work for the console configurations, and not the log data. The log backups, as well as the flow backups, are scheduled to run once a day at midnight if they are well configured. The backup consists of the previous day (24h) of log collection.

    The backup files are found in /store/backup.
    https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_qradar_adm_man_back_recovery.html
    If you don't see any Data backups, this means that the configurations are incorrect. Go to "Admin > Backup & Restore > Configure", and select the option "Configuration and Data backups".

    Reminder:
    A manual backup, will only work for the console configurations.
    Data backups are only scheduled and can't be forced from the GUI.

    Workaround:
    There's always a way to obtain what you want in IT. You could go into your /store, find the day of the data you want to backup, zip it, then move the zip in a safe place. Although, you won't be able to backup the logs of a single logs source, if that was your question Johan. It's all or nothing.

    Last Resort (not really a legit backup):
    Create a search with your log source, then save the result as a file, and voilà! I haven't tried reloading logs exported that way.

    Anyhow,
    you should go through the Backup and Restore link above for more details.

    Regards,

    edit: For other types of configuration backups, you can use the script:
    /opt/qradar/bin/contentManagement.pl
    Go in the help menu for more details of what you can export-import in the configurations..

    ------------------------------
    Anthony Gayadeen, Videotron Ltd
    Montreal QC
    ------------------------------



  • 4.  RE: Logs BackUp

    Posted Mon September 23, 2019 07:30 AM

    Hi There,

    to complement Anthonys idea:

    If the workaround is about files in /store/ariel then you should have the ability to separate logs from a specific log source. As far that i know, if you set up an retention bucket (Admin -> Data Sources -> Events -> Event Retention), files which belog to that bucket have the bucket-Number (from ~1 – ~10) at the end oft he file-name.

    One thing that i doesn't know is whether and how it is possible to use this files later on when it's needed.  



    ------------------------------
    not theadmin
    ------------------------------