Current ThreatQ Version Filter
 

Backup and Restore

ThreatQ Backup

Before performing a backup of a ThreatQ instance, note the following:

  • The backup process stops and starts all ThreatQ services automatically in order to prevent modifications to the file system and database. Requests made during this time are queued and resumed once the backup process completes.
  • The time it takes to back up ThreatQ depends primarily on the size of the database. For this reason, we recommend performing a backup when system availability is not critical, such as during a scheduled maintenance window.
  • The resulting backup file can be large. We recommend that you write it to a mounted drive or file location rather than the local file system. For instructions on how to mount a network-available drive, contact ThreatQ Support. If the backup file must be stored locally, you should move it off the local file system at the earliest opportunity.
  • By default, the system creates a backup of the threat intelligence data index required for improved search performance and includes it in the backup file. This operation may take hours. You can omit this portion of the backup by running the backup command with the --exclude-solr option. However, this means that your threat intelligence data must be re-indexed during or after the restore process.
  • ThreatQuotient recommends you delete any disabled custom objects before running the backup process.  If the backup process encounters a disabled custom object, the process stops and you are prompted to delete the object or contact ThreatQuotient Support for assistance.

Backup Options

ThreatQ supports the following backup options:

  • A standard backup that includes the threat intelligence data index.
  • A backup that excludes the threat intelligence data index
  • An online backup that excludes the threat intelligence data index

An online backup backs up your database without performing a Solr backup. This allows users to work in the ThreatQ instance as the backup runs.

The online backup process takes longer to complete and generates a larger backup file.

When you restore from an online backup the following message prompts you to decide when to perform a Solr re-index.

Do you want to re-index Solr now? If not, you may do this manually later. [y/n]

Since an online backup allows users to remain working in the system, you may encounter the following issues when restoring from an online backup file:

  • If a CDF was running during the backup, the feed run is listed as Completed with errors/Run failed to complete.
  • If a bulk job was running, the job remains stuck in progress in the Job Management page.
Password Retrieval

The backup and restore processes may require the MariaDB and/or the root MySQL password. You can use the get secrets command listed below to retrieve all Kubernetes secrets, including your MariaDB and root MySQL passwords, in a human-readable format.

  1. SSH to your ThreatQ installation.
  2. Run the following command:
    kubectl get secrets --namespace threatq --output go-template='{{range $i,$d := .items}}{{print $d.metadata.name "\n"}}{{range $k,$v := $d.data}}{{printf " %s: " $k}}{{if not $v}}{{$v}} {{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}{{"\n"}}{{end}}'

ThreatQ Backup Process

  1. SSH to the ThreatQ command line and elevate your user privilege to root or sudo.
  2. Change the directory to /var/www/api.
  3. Choose one of the following options:
    • To create a backup that includes the threat intelligence data index, run the following command:
      sudo php artisan threatq:backup

    • To create a backup that excludes the threat intelligence data index, run the following command:
      sudo php artisan threatq:backup --exclude-solr

    • To create an online backup that excludes a backup of the threat intelligence data index, run the following command:
      sudo php artisan threatq:backup --online

  4. When prompted, provide the root mysql password you configured during first boot.

    You will only be prompted for a password and file path with the first initial backup. You will not be prompted for either of these items for any subsequent backups. Contact ThreatQ Support if you need to update either of these items.

  5. Provide the path to the file location where you want to create the backup.

The script generates a backup file in the specified file location. The name of the file will be threatq_backup_x.x.x_yyyy-mm-dd.tgz, where x.x.x is the TQ version and yyyy-mm-dd is the date when the backup was performed.

  1. SSH to the ThreatQ command line.
  2. Choose one of the following options:
    • To create a backup that includes the threat intelligence data index, run the following command:
      kubectl exec --namespace threatq --stdin --tty deployment/api-schedule-run -- ./artisan threatq:backup

    • To create a backup that excludes the threat intelligence data index, run the following command:
      kubectl exec --namespace threatq --stdin --tty deployment/api-schedule-run -- ./artisan threatq:backup --exclude-solr

  3. When prompted, provide the root MySQL password.  See the Password Retrieval section for the steps to retrieve this password.

    You will only be prompted for a password and file path with the first initial backup. You will not be prompted for either of these items for any subsequent backups. Contact ThreatQ Support if you need to update either of these items.

  4. Provide the path to the file location where you want to create the backup.
    The file that you store the backup file must be in the following location: /var/lib/threatq/misc
    The script generates a backup file in the specified file location. The name of the file will be threatq_backup_x.x.x_yyyy-mm-dd.tgz, where x.x.x is the ThreatQ version and yyyy-mm-dd is the date when the backup was performed.

ThreatQ Restore

To restore from a ThreatQ backup, note the following:

  • The target machine must be an existing ThreatQ instance running the same version of the instance captured in the backup.
  • The restore process completely overwrites the current installation.
  • The backup file needs to be accessible by the target ThreatQ instance, either locally or on a mounted drive.
  • The backup file will be unzipped in the same directory where it resides. Ensure that the available disk has sufficient space to hold both the backup archive and the extracted directory. The extracted directory can be removed after the restore is complete.
  • Depending on the size of the instance being restored, the process can take a while.
  • You cannot restore an online backup in a ThreatQ 6x instance. ThreatQ returns the following error message if you attempt to restore a ThreatQ 5x online backup in a ThreatQ 6x instance: Online backups are not supported in this version. Try again using an offline backup.

ThreatQ Restore Process

To restore from a ThreatQ backup, perform the following procedure on the target ThreatQ instance.

  1. Complete the first boot process on the new host by navigating to its IP address in a web browser and entering your credentials. If this step is not completed, the remaining steps are not successful.
  2. SSH to the command line and elevate your user privileges to root or sudo.
  3. Verify that you have the necessary utilities in place by running:
    yum install policycoreutils-python-2.2.5-20.el7.x86_64

  4. Change directory to /var/www/api.
  5. Issue the following commands:
    5x command
    php artisan threatq:restore </path/to/backup_file>


    4x commands
    php artisan threatq:restore </path/to/backup_file>
    php artisan threatq:update-events

  6. If prompted, provide the root mysql password you configured during first boot.
  7. If you are restoring from an online backup or if the backup file does not include the intelligence data index required for improved search performance, the following message prompts you to decide when to perform a Solr re-index.
    Do you want to re-index Solr now?  If not, you may do this manually later. [y/n]

    This operation may take hours.

  8. After the restore completes, you should reboot the target ThreatQ system to ensure that the system processes start up correctly.

To restore from a ThreatQ backup, perform the following procedure on the target ThreatQ instance.

  1. SSH to the command line and elevate your user privileges to root or sudo.
  2. Run the following command:
    kubectl exec --namespace threatq --stdin --tty deployment/api-schedule-run -- ./artisan threatq:restore </path/to/backup_file>

    If prompted, provide the root MyQL password.  See the Password Retrieval section for the steps to retrieve this password.

  3. If  the backup file does not include the intelligence data index required for improved search performance, the following message prompts you to decide when to perform a Solr re-index.
    Do you want to re-index Solr now?  If not, you may do this manually later. [y/n]

    This operation may take hours.

  4. After the restore completes, you should reboot the target ThreatQ system to ensure that the system processes start up correctly.