IBM Support

QRadar: About / partition

Question & Answer


What is the purpose of the root "/" partition in QRadar, and how can I troubleshoot issues with the root partition filling?


The "/" partition is the root directory of the file system. All the directories in Linux are contained in this partition when a partition mount point or external mount point for a specific directory is not created.

By default, the QRadar disk sentry check runs every 60 seconds and looks for high disk usage across the "/" partition. If the "/" partition fills up to 95%, the QRadar disk sentry stops the QRadar core services

The following are the most common cause of the "/" partition filling up:

  • An external file system (See the QRadar offboard storage) is not available and a file needs to be written to the directory mount point.

    Example: QRadar backups are enabled, and the /store/backup/ partition is configured on an NFS Server mount point. When nightly backups run the NFS server is unreachable, the backup engine looks for the /store/backup/ directory and writes the file to "/". Because backup files can grow up to several hundred GBs in size, the file can fill the "/" partition.
  • QRadar is installed on an appliance (Virtual or Physical) with a smaller disk space than the minimum storage requirements. A smaller disk than 256GB causes some of the partitions not to be created separately and the directory ends up inside the "/" partition.

    Example: The /store/ partition is not created because the disk of the appliance is 200GB (minimum requirement is 256GB). When the appliance receives many events, they are buffered in the /store/persistent_queue/ and because the /store partition does not exist, the /store/persistent_queue/ directory can fill the "/" partition.
  • External files or temporary files created by commands run by the administrator are not cleaned up after use.

    Example: An administrator requires to gather information from the system and imports several files to /root/script/. Later, a QRadar software update SFS file is copied to /root/ to upgrade its environment and the copy is interrupted due to lack of space. Often, administrators forget to delete older not longer required files and the sum of these forgotten files can grow up until it fills up the "/" partition.

Upgrade from 7.2.x to 7.3.x

Since 7.3.1, QRadar uses LVM and the logical volume /dev/mapper/rootrhel-root was designated for the "/" partition alone. QRadar installed on appliances with less than 256GB (minimum disk storage) can cause some partitions to default to the "/" partition.

[root@qradar ~]# df -Th /
Filesystem                Type  Size  Used Avail Use% Mounted on
/dev/mapper/rootrhel-root xfs    13G  4.1G  8.5G  33% /
Failed Update Error
When a software update runs, the "/" partition is checked to ensure the disk space has enough space for the update. It is advised remediating any disk space issues before the update runs as suggested in the QRadar: Software update checklist for administrators.
If the partition does not have enough space, it fails with the error:
=-= Disk Space Report Complete for '/'

[ERROR](testmode) - Mountpoint: / has 924140 Kb available and requires 1396312.8 Kb
[ERROR](testmode) Pretest had 1 failed checks for free space;
 - Mountpoint: / has 924140 Kb available and requires 1396312.8 Kb

Patch Report for <QRadar host IP>, appliance type: <QRadar appliance type>
=-= DiskSpace Report for Mountpoint '/' =-=
=-= Available: 924140 Kb,  Required: 1396312.8 KB =-=
=-= Total RPM Files: 87436 Kb =-=

=-= Disk Space Report Complete for '/'
<Hostname> :  patch test failed.
Troubleshooting Disk Space Issues
To determine which files or directories are filling the "/" partition and how to release space safely, follow the steps in the following articles:

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
30 September 2022