Backup - Retention Settings

To provide minimum capabilities for recovery, QRadar has 2 days of configuration backup by default.
While this is a minimal starting point, it is good practice to increase this to at 1 or 2 weeks, depending
on the frequency of your changes. You may also want to perform on demand configuration after major
changes, giving the one time backup a descriptive name. Note that only "scheduled" backups are
deleted by your Backup retention setting - on demand backups are kept indefinitely. Ensure you have
sufficient capacity for backups, as once the volume reaches 75%, QRadar scheduled backups will not
run, to avoid filling up a disk partition.
2. Backup - Backup Location
Another best practice for backup in QRadar is to have your backups either "created" on another system,
or copied off to another system after they've been completed. One method for doing this is to schedule
a cron process that copies the files off to another host once the backups have been completed. Many
users have scheduled scripts to copy the backup files off to another unix host using ssh keys.

Another method is to have an NFS mount from an alternate Unix host mounted under /store/backup,
thus having backup files automatically created on a system not related to, or impacted by, QRadar.

Discussions & documentation on backup & recovery:

• https://www.ibm.com/developerworks/community/forums/html/topic?id=77777777-0000-0000-
0000-000014968094
3. Backups - QRadar Data Backups
QRadar also supports the backup of collected data as well. During daily data backups, the process
reviews the data for the previous day, and creates an archive file, which is written into the
/store/backup/ directory.

Please note that if your system has been running for a period of time, it has been collecting and storing
data for the entire time period that your retention setting is set to. The backup procedure only backs up
the data of the PREVIOUS day, after it has been enabled; it does not retroactively create a backup of all
existing data. For this reason, it is recommended that you enable backups sooner rather than later, if
they are required. If you require a one-time, full backup of QRadar data, you need to do this manually.
All event and flow data is stored in the /store/ariel/ directory, and this is the directory structure that you
need to backup, to save event and flow data.

Also, if your QRadar deployment has other systems with storage, such as 1601 Event Processor, 1701
Flow Processor, or 1801 Combined Processor, these systems each perform their own local data backups
if enabled, and will have the same requirements for space and backup locations.

https://www.ibm.com/developerworks/community/forums/html/topic?id=77777777-0000-0000-0000-
000014968119&ps=25

https://www.ibm.com/developerworks/community/forums/html/topic?id=9bbaea65-144f-43b5-b20a-
424ea1270dff&ps=25