IBM Support

QRadar: Disk storage issue "Partition on server is not available"

Troubleshooting


Problem

The dashboard is displaying a message that the partition on the server is not available.

Symptom

An error notification is received stating a partition is not available. When this happens you will get a notification and messages in /var/log/qradar.error such as the one below:


May 28 10:36:48 ::ffff:x.x.x.x [hostcontext.hostcontext][94228df2-b970-4a76-ac49-39030ad53d09/SequentialEventDispatcher]com.q1labs.hostcontext.ds.DiskSpaceSentinel: [WARN][NOT:0000004000][x.x.x.x/- -] [-/- -]Partition tester thread did not complete -- attempting to interrupt. The storage mounted at/store/transient did not respond within 30 seconds. If this latency is expected, you can increase this time interval through the System Settings
May 28 10:36:48 ::ffff:x.x.x.x [hostcontext.hostcontext][94228df2-b970-4a76-ac49-39030ad53d09/SequentialEventDispatcher]com.q1labs.hostcontext.ds.DiskSpaceSentinel: [WARN][NOT:0000004000][x.x.x.x/- -] [-/- -]Partition tester thread did not complete -- attempting to interrupt. The storage mounted at /store/tmp did not respond within 30 seconds. If this latency is expected, you can increase this time interval through the System Settings
May 28 10:36:48 ::ffff:x.x.x.x [hostcontext.hostcontext][94228df2-b970-4a76-ac49-39030ad53d09/SequentialEventDispatcher]com.q1labs.hostcontext.ds.DiskSpaceSentinel: [ERROR][NOT:0150062100][x.x.x.x/- -] [-/- -]The storage partition(s) /var/log, /store/transient, /store/tmp on QRADAR-MH (x.x.x.x) are not currently accessible. Manual intervention may be required to restore normal operation

Cause

Network latency between Managed Hosts and Console or high writing to disk via Offboard storage.

Resolving The Problem

This is due to the Partition Tester threshold of (default) 30 seconds, so at certain circumstances this value is not enough and so the partition testing fails, however if you immediately find messages as the one below, that means there is no real impact on the device and you could increase the threshold on the partition tester.

May 28 10:36:50 ::ffff:x.x.x.x [hostcontext.hostcontext][94228df2-b970-4a76-ac49-39030ad53d09/SequentialEventDispatcher]com.q1labs.hostcontext.ds.DiskSpaceSentinel: [ERROR][NOT:0150066101][x.x.x.x/- -] [-/- -]The storage partition(s) /var/log, /store/transient, /store/tmp on QRADAR-MH(x.x.x.x) are now accessible.

To do this.

  1. Log in to the QRadar user interface.
  2. Click Admin tab > System Settings
  3. Click Switch to Advanced > System Setting
  4. Find Partition Tester Timeout (seconds) and change it to 60 sec.


Other things to check:
  • Network latency between appliances and the console
  • If /store is mounted to an Offboard storage device such as a ISCSI or Fibre channel storage
If this does not resolve the issue contact support for a solution.



Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg22001602

Page Feedback