Restore the Database - Administrator Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Restore the database from a manual backup or automated backup back up in Cortex XSOAR.

Cortex XSOAR automatically backs up the database. If the database becomes corrupted or you need to revert to an earlier version of your data, you can restore a database backup.


In Cortex XSOAR v6.1 and later, any XSOAR service that uses the Elasticsearch database no longer runs automatic backups. To back up or restore the contents of your Elasticsearch database, follow the instructions for Disaster Recovery for Elasticsearch.

  1. Log out all users from Cortex XSOAR.

  2. Stop the service.

    sudo service demisto stop

  3. Delete the contents of the database directory.

    By default, the database directory is /var/lib/demisto/data.

  4. Copy the backup file to the database location.

  5. Extract the .gzip backup file using tar -xzf <file-name>.

    When you run the command, new sub-folders are created (where you ran the command) with the db files inside. If you use the default path, the files are in the var folder. For example, the following files are generated:

    root@myhost:/var/lib/demisto/backup# tar -xzf daily_29_Jun_2021__0738.tar.gz
    root@myhost:/var/lib/demisto/backup# cd var/lib/demisto/backup/daily_29_Jun_2021__0738
    root@myhost:/var/lib/demisto/backup/var/lib/demisto/backup/daily_29_Jun_2021__0738# ls
    demisto.db  demisto_062021.db
  6. Automatic Backup

    • Move the demisto_XXXXX.db files to the partitionsData folder.

    • Keep the demisto.db file in the /data parent folder.

    Manual Backup

    You do not need to move the files, as the required _XXXXX.db files are already in the partitionsData folder.

  7. The following directories need to be restored manually:

    • /var/lib/demisto/artifacts

    • /var/lib/demisto/attachments

    • /var/lib/demisto/images

    • /var/lib/demisto/d2_server.key

    • /var/lib/demisto/tools

    • /var/lib/demisto/versionControlRepo

    • /usr/local/demisto

    • /etc/demisto.conf

  8. Restart the server and log in to Cortex XSOAR.