Configuration, Events and Content Backup in IBM QRadar
Table of contents:
While working with SIEM, eventually you come across a situation where your tool requires to be updated to the latest version, moved to a different data center or migrated to a more productive installation. An integral part of this is the creation of backups and the subsequent transfer of data, configurations or customized content to a new installation.
There are several ways to cope with this task.
Option 1: Configuration Backup
You can perform this from IBM QRadar web console.
1. Go to Admin – Backup and Recovery tab
2. Then go to Configure
3. Set path to repository and select Configuration Backup Only
4. Then click Save and Deploy Changes buttons
5. After these actions, the backup will be created automatically at 00-00.
Alternative option:
1. Go to Admin – Backup and Recovery – On demand Backup
2. Fill in Name and Description (optional) fields and then click Run Backup
3. Click OK
Option 2: Configuration and Data Backup
You can perform this from IBM QRadar web console.
1. Go to Admin – Backup and Recovery tab
2. Go to Configure
3. Next, set path to repository and select Configuration and Data Backup. Select data (“Event Data” and / or “Flow Data“) you need to save. If there is a large amount of data, the process can be interrupted due to exceeding the time limit, so you need to change Data Backup – Backup Time Limit (min) and specify the priority of the procedure.
4. After these actions, the backup will be created automatically at 00-00.
Option 3: Analitycal Content Backup
Following option of creating a backup of the analytical content allows saving certain content (rules, search, dashboards, events, parsers, etc.). To do this, you need to connect via SSH to the IBM QRadar server.
1. Using utility such as Putty, you need to connect to QRadar with root account
2. Then execute command /opt/qradar/bin/contentManagement.pl –a export -c all, wich allows to export all “custom content” as a *.zip archive
3. If you need to add data to the archive from Reference Set, use the following command: /opt/qradar/bin/contentManagement.pl –a export -c all -e
4. If you need to add trend data from dashboards and searches to the archive, use the following command: /opt/qradar/bin/contentManagement.pl –a export -c all -g
5. If you need to export specific content elements, first find their IDs. To do this you need to execute the following command: /opt/qradar/bin/contentManagement.pl –action search –content-type “element type for search” –regex “.*element name contains.*” (Example: _/opt/qradar/bin/contentManagement.pl –action search –content-type dashboard –regex “.*APT.*”)
Types of elements that you can search and export:
• all
• package
• dashboard
• report
• search
• fgroup
• fgrouptype
• customrule
• customproperty
• sensordevice
• sensordevicetype
• sensordevicecategory
• deviceextension
• qidmap
• referencedata
• offensetype
• historicalsearch
• custom_function
• custom_action
• installed_application
After elements’ IDs are found, you need manually create the file with *.content extension
Then you need to fill in this file according to the example:
Dashboard, Dashboard_ID1,Dashboard_ID2
Customrule, rule_ID1,rule_ID2
Then, when the file is created, you need to transfer it to IBM QRadar and execute the command:
/opt/qradar/bin/contentManagement.pl -a export -c package -f “path to *.content file”
Creating of content, configuration and events backups in IBM Qradar for an experienced SIEM administrator is not challenging task. Using the information from this article, you can save all necessary data and configurations without spending significant time.