Disk usage system notifications
IBM
QRadar disk
sentry monitors the /, /store, /transient,
/storetmp, /opt, /var/log,
/var/log/audit, /var, /tmp, and
/home partitions before the partitions reach a pre-defined usage
threshold.
Important: On QRadar appliances with disk
capacities greater than 2 TB, the
/store and /transient partitions
are monitored by using an absolute threshold of 100 GiB instead of a percentage-based threshold.
This is because, on large disks, even 5% remaining space can represent a substantial amount of free
space. Using an absolute limit provides more meaningful monitoring headroom and helps to avoid
premature service disruption warnings.The following topics can help you identify and resolve common problems in your IBM QRadar deployment. The following table displays the host context system notifications that depend on the disk usage of each monitored partition.
| Notification | Description | Suggested action |
|---|---|---|
Disk Sentry: Disk Usage exceeded warning threshold. |
Disk usage is at 90% for a monitored partition. QRadar is not affected when the partition reaches this threshold. Continue to monitor your partition levels. | See Disk usage exceeded warning threshold. |
Disk Sentry: Disk Usage exceeded max threshold. |
Disk usage is at 95% for a monitored partition. QRadar data collection and search processes are shut down to protect the file system from reaching 100%. | See Disk usage exceeded max threshold. |
Disk sentry: System disk usage back to normal levels. |
After disk usage reaches a threshold of 95%, it must return to 92% before QRadar automatically restarts data collection and search processes. | To lower the disk usage threshold, manually remove data from the affected partitions. See Disk usage returned to normal. |