Restore Splunk SOAR (On-premises) from a backup

You can use backups in conjunction with the Splunk SOAR (On-premises) Warm Standby feature for additional protection against system failure.

Note: For deployments of Splunk SOAR (On-premises) in AWS that use RDS for their PostgreSQL database: Do not use the ibackup command. Create backups using the backup.pyc tool and perform restores using the restore.pyc tool, as described in Backup the external PostgreSQL database with the Relational Database System (RDS).
Note: In clustered deployments, you must issue all backup and restore commands from the same cluster node.

Prepare your system for restore

Before you can perform a restore in your Splunk SOAR (On-premises) deployment, you must prepare your system. This preparation is especially important if you are restoring data from one Splunk SOAR (On-premises) deployment to another deployment.

Note: You don't need to perform these steps when restoring a backup to the same deployment; backup creation includes the setup step.

To prepare your deployment before restoring, perform the following steps:

  1. From the command line, SSH to your Splunk SOAR (On-premises) instance or Splunk SOAR (On-premises) cluster node. 
    ssh <username>@<phantom_hostname>
  2. Prepare the system for a restore. 
    phenv ibackup --setup

Restore your deployment from a full backup

To restore your deployment from a full backup, follow these steps:

  1. From the command line, SSH to your Splunk SOAR (On-premises) instance or Splunk SOAR (On-premises) cluster node. 
    ssh <username>@<phantom_hostname>
  2. Prepare the system for a restore. 
    phenv ibackup --setup
  3. Copy your <number>_phantom_backup.tar from storage to the instance or cluster node you are restoring.
  4. Perform the restore. See the following notes. 
    phenv ibackup --restore <path/to/<number>_phantom_backup.tar>
Note: Use the --ignore-env-check flag to disable the check for identical variables on the restore instance and backup instance.

Restore a full backup for deployments with an external PostgreSQL database in RDS

Amazon Web Services RDS provides automatic backups of hosted PostgreSQL databases which are managed and restored using the management console. See Backing up and restoring a DB instance in the AWS documentation.

  • The filesystem backup of your Splunk SOAR (On-premises) deployment must be created using the use the --fs-only option of the ibackup tool.
  • You can restore the filesystem backup using the --restore option of the ibackup tool.

See Splunk SOAR (On-premises) backup tools.

Restore your system from an incremental backup

You must prepare the system before restoring your system from an incremental backup. See Prepare your system for restore earlier in this topic.

Incremental backups contain only the changes made to your Splunk SOAR (On-premises) instance since the last full backup or previous incremental backup. An incremental backup is not sufficient to restore a system on its own. It must be used with the related full backup and any intermediate backups.

Here is a sample sequence of restoring your system from an incremental backup. The sequence is important, but there can be varying increments of time between the steps.

  1. Create a full backup called phantom_backup_group_0_level_0.tar.
  2. Create an incremental backup called phantom_backup_group_0_level_1.tar, which is based on phantom_backup_group_0_level_0.tar.
  3. Create a second incremental backup called phantom_backup_group_0_level_2.tar, which is based on phantom_backup_group_0_level_1.tar and phantom_backup_group_0_level_0.tar.

Remember these important points when restoring your system from the sequential files:

  • You can restore phantom_backup_group_0_level_0.tar alone.
  • You cannot restore phantom_backup_group_0_level_1.tar without phantom_backup_group_0_level_0.tar.
  • You cannot restore phantom_backup_group_0_level_2.tar without phantom_backup_group_0_level_0.tar and phantom_backup_group_0_level_1.tar.

Restore the incremental backup

To restore the incremental backup, follow these steps:

  1. From the command line, SSH to your Splunk SOAR (On-premises) instance or cluster node. 
    ssh <username>@<phantom_hostname>
  2. Prepare the system for a restore. 
    phenv ibackup --setup
  3. Copy the full backup TAR file and any incremental-level TAR files from storage to the instance or cluster node you are restoring.
  4. Perform the restore. Enter the file name of the last incremental backup file you want to restore. 
    phenv ibackup --restore < phantom_backup_group_<#>_level_<#>.tar >
Note: Use the --ignore-env-check flag to disable the check for identical variables on the restore instance and backup instance.

Determine whether the system restore was successful

If the restore is successful, it writes information to the console. Here is an example of console output from a successful restore: 

[phantom@phantom bin]# phenv ibackup --restore /opt/phantom/data/backup/phantom_backup_group_0_level_0.tar 
[06/Feb/2020 20:10:15] INFO: Running ibackup - details will be logged to /var/log/phantom/backup/ibackup_2020-02-06T20:10:15.089127Z.log
[06/Feb/2020 20:10:15] INFO: Attempting to connect to Postgresql ...
[06/Feb/2020 20:10:17] INFO: Checking filesystem backup state at /opt/phantom/data/ibackup/repo/fs
[06/Feb/2020 20:10:17] INFO: Restoring this backup requires utilizing 9.11334507138% of the total volume capacity
[06/Feb/2020 20:10:17] INFO: Available: 45901836288 , Required: 2008317952.0
[06/Feb/2020 20:10:21] INFO: Attempting to connect to Postgresql ...
psql: ERROR:  pgbouncer cannot connect to server
[06/Feb/2020 20:10:21] INFO: Retrying ...
[06/Feb/2020 20:10:22] INFO: Attempting to connect to Postgresql ...
psql: ERROR:  pgbouncer cannot connect to server
[06/Feb/2020 20:10:22] INFO: Retrying ...
[06/Feb/2020 20:10:24] INFO: Attempting to connect to Postgresql ...
psql: ERROR:  pgbouncer cannot connect to server
[06/Feb/2020 20:10:24] INFO: Retrying ...
[06/Feb/2020 20:10:28] INFO: Attempting to connect to Postgresql ...
psql: ERROR:  pgbouncer cannot connect to server
[06/Feb/2020 20:10:28] INFO: Retrying ...
[06/Feb/2020 20:10:36] INFO: Attempting to connect to Postgresql ...
[06/Feb/2020 20:10:38] INFO: Extracting backup file /opt/phantom/data/backup/phantom_backup_group_0_level_0.tar
[06/Feb/2020 20:11:08] INFO: Restoring files to filesystem
[06/Feb/2020 20:11:17] INFO: Attempting to connect to Postgresql ...
[06/Feb/2020 20:11:27] INFO: Restore complete

Prepare for subsequent backups

After restoring your system, you must run phenv ibackup --setup again before you can make new backups. See Prepare your system for restore earlier in this topic.