Question & Answer
Question
What should you do if you encounter high disk usage on a QRadar Network Security (XGS) sensor?
Answer
It is possible that there are files in the /support/ directory that are taking up a significant amount of space. To see which file or files are filling the hard drive, use an SFTP client such as WinSCP to connect to the appliance via SSH. Use the admin-sftp account to log in. This account uses the same credentials as the admin account. Within the /support/ directory, you see the snapshots (files ending with .snapshot) and support files (files ending with .support) that currently reside on the appliance.
Locate any snapshots and support files that are no longer needed. Due to permissions restrictions, you are unable to delete the files directly from this location. You need to log in to the web interface and go to the appropriate place to delete them. For snapshots, go to Manage System Settings > System Settings > Snapshots. For support files, go to Manage System Settings > System Settings > Support Files.
You might also see large core dump files in the /support/ directory. If so, contact Customer Support and provide them with a screen capture of the core dump files. Customer Support will determine whether these core dumps are OK to delete.
It is also possible that you have packet captures taking up a large amount of space. Check the /support/pktcap/ directory for any large captures. Again, you are not able to delete them directly from this location. Log in to the web interface and go to Manage System Settings > System Settings > Packet Captures.
If you have enabled Local Flow Data Collection, you might see that the flow data size grow large over time. The actual file that contains this information is located at /var/iss-db/flowdata.db. To see the current size of the file, you need to look at the support.txt that is contained in a support file. Below is an example of what it looks like:
You are not able to delete this file but it can be cleared by going to Manage System Settings > Network Settings > Flow Data and clicking the Flush Local Data button in the LMI.
Locate any snapshots and support files that are no longer needed. Due to permissions restrictions, you are unable to delete the files directly from this location. You need to log in to the web interface and go to the appropriate place to delete them. For snapshots, go to Manage System Settings > System Settings > Snapshots. For support files, go to Manage System Settings > System Settings > Support Files.
You might also see large core dump files in the /support/ directory. If so, contact Customer Support and provide them with a screen capture of the core dump files. Customer Support will determine whether these core dumps are OK to delete.
It is also possible that you have packet captures taking up a large amount of space. Check the /support/pktcap/ directory for any large captures. Again, you are not able to delete them directly from this location. Log in to the web interface and go to Manage System Settings > System Settings > Packet Captures.
If you have enabled Local Flow Data Collection, you might see that the flow data size grow large over time. The actual file that contains this information is located at /var/iss-db/flowdata.db. To see the current size of the file, you need to look at the support.txt that is contained in a support file. Below is an example of what it looks like:
+ ls -l /var/iss-db/flowdata.db
-rw-r--r-- 1 root root 3036160 Mar 17 15:40 /var/iss-db/flowdata.dbYou are not able to delete this file but it can be cleared by going to Manage System Settings > Network Settings > Flow Data and clicking the Flush Local Data button in the LMI.
[{"Product":{"code":"SSFSVP","label":"IBM QRadar Network Security"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Operating system (OS)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"5.4","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Operating system (OS)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"5.3.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
23 January 2021
UID
swg21966576