Troubleshooting
Problem
A change implemented in QRadar 7.3.2 and later ensures that files are removed from temporary directories. Previously, in QRadar 7.3.0 and 7.3.1 versions an issue prevented diskmaintd.pl utility from removing files in the /storetmp directory. The file removal issue was resolved in QRadar 7.3.2 and administrators who keep files or exports in /storetmp need to move them to a safe location.
Cause
The expected behavior of diskmaintd.pl is to clear /storetmp of any files that are older than 6 hours when the script runs. By default, there is a cron job that runs diskmaintd.pl daily at 2 AM. Due to an issue in 7.3.0 and 7.3.1 versions around how symlink was created from /store/tmp to /storetmp, the directory traversal was not recursively being called, thus the files older than 6 hours would remain on /storetmp.
Environment
QRadar administrators who upgrade to QRadar 7.3.2 and later with important files in the /storetmp directory.
Resolving The Problem
Since QRadar 7.3.2, files older than 6 hours that reside in /storetmp are removed by diskmaintd.pl when it runs at 2 AM daily. The administrators must back up files, exports, or utilities to another directory in /store before you upgrade QRadar. Failure to move these files causes diskmaintd.pl to delete all aged files from the /storetmp directory.
Where do I keep important files?
Administrators can create a location for important data, such as /store/IBM_Support/, /store/save/, /store/important/, or /store/keep/ for exports, utilities, or important files. Creating a customized location to keep files, as this location is not impacted by the disk maintenance script.
Where do I keep important files?
Administrators can create a location for important data, such as /store/IBM_Support/, /store/save/, /store/important/, or /store/keep/ for exports, utilities, or important files. Creating a customized location to keep files, as this location is not impacted by the disk maintenance script.
The QRadar Fix Pack got removed from /storetmp what can I do?
Administrators must copy or download the file again. To prevent this situation, the fix pack file can be stored on a customized location in /store such as /store/IBM_Support/, and right before the upgrade activity takes place the fix pack file can be copied to /storetmp.
What other temporary directories must be avoided?
/storetmp, /tmp, and /transient must not be used to keep any important files on the system. These locations are used to temporarily store data by QRadar and are routinely cleaned up.
Can I modify diskmaintd to exclude specific directories?
Yes, but is usually not recommended by QRadar Support. The administrators are advised to use a unique directory in /store for the files as a future update to diskmaintd could potentially override the changes made.
Yes, but is usually not recommended by QRadar Support. The administrators are advised to use a unique directory in /store for the files as a future update to diskmaintd could potentially override the changes made.
If there is the need to add a specific file or directory to the exclusion list to avoid the removal by disk maintenance, the administrator can edit the /opt/qradar/conf/diskmaintd.conf file to include that file or directory as follows:
Warnings: Any errors in the syntax of the file could cause your files to be deleted. Also, excluding files can cause disk space issues in the /storetmp partition.
- Create the backup directory.
mkdir -p /store/IBM_Support/
- Make a copy of the current script.
cp -pfv /opt/qradar/conf/diskmaintd.conf /store/IBM_Support/diskmaintd.conf.bck
- Edit the file.
vi /opt/qradar/conf/diskmaintd.conf
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.2;and future releases"}]
Was this topic helpful?
Document Information
Modified date:
26 October 2022
UID
ibm10874848