After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Restore from a backup
You can use backups in conjunction with the Warm Standby feature for additional protection against system failure.
For deployments of Splunk SOAR (On-premises) in AWS that use RDS for their PostgreSQL database: Do not use the ibackup
command. Create backups using the backup.pyc
tool and perform restores using the restore.pyc
tool, as described in Backup the external PostgreSQL database with the Relational Database System (RDS).
In clustered deployments, you must issue all backup and restore commands from the same cluster node.
Prepare your system for restore
Before you can perform a restore in your deployment, you must prepare your system. This preparation is especially important if you are restoring data from one deployment to another deployment.
You don't need to perform these steps when restoring a backup to the same deployment; backup creation includes the setup step.
To prepare your deployment before restoring, perform the following steps:
- From the command line, SSH to your instance or cluster node.
ssh <username>@<phantom_hostname> - Prepare the system for a restore.
phenv ibackup --setup
Restore your deployment from a full backup
To restore your deployment from a full backup, follow these steps:
- From the command line, SSH to your instance or cluster node.
ssh <username>@<phantom_hostname> - Prepare the system for a restore.
phenv ibackup --setup - Copy your
<number>_phantom_backup.tar
from storage to the instance or cluster node you are restoring. - Perform the restore. See the following notes.
phenv ibackup --restore <path/to/<number>_phantom_backup.tar>
Use the --ignore-env-check
flag to disable the check for identical variables on the restore instance and backup instance.
Restore a full backup for deployments with an external PostgreSQL database in RDS
Amazon Web Services RDS provides automatic backups of hosted PostgreSQL databases which are managed and restored using the management console. See Backing up and restoring a DB instance in the AWS documentation.
- The filesystem backup of your deployment must be created using the use the
--fs-only
option of the ibackup tool. - You can restore the filesystem backup using the
--restore
option of the ibackup tool.
See Splunk SOAR (On-premises) backup tools.
Restore your system from an incremental backup
You must prepare the system before restoring your system from an incremental backup. See Prepare your system for restore earlier in this topic.
Incremental backups contain only the changes made to your instance since the last full backup or previous incremental backup. An incremental backup is not sufficient to restore a system on its own. It must be used with the related full backup and any intermediate backups.
Here is a sample sequence of restoring your system from an incremental backup. The sequence is important, but there can be varying increments of time between the steps.
- Create a full backup called
phantom_backup_group_0_level_0.tar
. - Create an incremental backup called
phantom_backup_group_0_level_1.tar
, which is based onphantom_backup_group_0_level_0.tar
. - Create a second incremental backup called
phantom_backup_group_0_level_2.tar
, which is based onphantom_backup_group_0_level_1.tar
andphantom_backup_group_0_level_0.tar
.
Remember these important points when restoring your system from the sequential files:
- You can restore
phantom_backup_group_0_level_0.tar
alone. - You cannot restore
phantom_backup_group_0_level_1.tar
withoutphantom_backup_group_0_level_0.tar
. - You cannot restore
phantom_backup_group_0_level_2.tar
withoutphantom_backup_group_0_level_0.tar
andphantom_backup_group_0_level_1.tar
.
Restore the incremental backup
To restore the incremental backup, follow these steps:
- From the command line, SSH to your instance or cluster node.
ssh <username>@<phantom_hostname> - Prepare the system for a restore.
phenv ibackup --setup - Copy the full backup TAR file and any incremental-level TAR files from storage to the instance or cluster node you are restoring.
- Perform the restore. Enter the file name of the last incremental backup file you want to restore.
phenv ibackup --restore < phantom_backup_group_<#>_level_<#>.tar >
Use the --ignore-env-check
flag to disable the check for identical variables on the restore instance and backup instance.
Determine whether the system restore was successful
If the restore is successful, it writes information to the console. Here is an example of console output from a successful restore:
[phantom@phantom bin]# phenv ibackup --restore /opt/phantom/data/backup/phantom_backup_group_0_level_0.tar [06/Feb/2020 20:10:15] INFO: Running ibackup - details will be logged to /var/log/phantom/backup/ibackup_2020-02-06T20:10:15.089127Z.log [06/Feb/2020 20:10:15] INFO: Attempting to connect to Postgresql ... [06/Feb/2020 20:10:17] INFO: Checking filesystem backup state at /opt/phantom/data/ibackup/repo/fs [06/Feb/2020 20:10:17] INFO: Restoring this backup requires utilizing 9.11334507138% of the total volume capacity [06/Feb/2020 20:10:17] INFO: Available: 45901836288 , Required: 2008317952.0 [06/Feb/2020 20:10:21] INFO: Attempting to connect to Postgresql ... psql: ERROR: pgbouncer cannot connect to server [06/Feb/2020 20:10:21] INFO: Retrying ... [06/Feb/2020 20:10:22] INFO: Attempting to connect to Postgresql ... psql: ERROR: pgbouncer cannot connect to server [06/Feb/2020 20:10:22] INFO: Retrying ... [06/Feb/2020 20:10:24] INFO: Attempting to connect to Postgresql ... psql: ERROR: pgbouncer cannot connect to server [06/Feb/2020 20:10:24] INFO: Retrying ... [06/Feb/2020 20:10:28] INFO: Attempting to connect to Postgresql ... psql: ERROR: pgbouncer cannot connect to server [06/Feb/2020 20:10:28] INFO: Retrying ... [06/Feb/2020 20:10:36] INFO: Attempting to connect to Postgresql ... [06/Feb/2020 20:10:38] INFO: Extracting backup file /opt/phantom/data/backup/phantom_backup_group_0_level_0.tar [06/Feb/2020 20:11:08] INFO: Restoring files to filesystem [06/Feb/2020 20:11:17] INFO: Attempting to connect to Postgresql ... [06/Feb/2020 20:11:27] INFO: Restore complete
Prepare for subsequent backups
After restoring your system, you must run phenv ibackup --setup
again before you can make new backups. See Prepare your system for restore earlier in this topic.
Back up a deployment | backup tools |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.4.0
Feedback submitted, thanks!