Question & Answer
The "/" partition is the root directory of the file system. All the directories in Linux are contained in this partition when a partition mount point or external mount point for a specific directory is not created.
By default, the QRadar disk sentry check runs every 60 seconds and looks for high disk usage across the "/" partition. If the "/" partition fills up to 95%, the QRadar disk sentry stops the QRadar core services.
The following are the most common cause of the "/" partition filling up:
- An external file system (See the QRadar offboard storage) is not available and a file needs to be written to the directory mount point.
Example: QRadar backups are enabled, and the /store/backup/ partition is configured on an NFS Server mount point. When nightly backups run the NFS server is unreachable, the backup engine looks for the /store/backup/ directory and writes the file to "/". Because backup files can grow up to several hundred GBs in size, the file can fill the "/" partition.
- QRadar is installed on an appliance (Virtual or Physical) with a smaller disk space than the minimum storage requirements. A smaller disk than 256GB causes some of the partitions not to be created separately and the directory ends up inside the "/" partition.
Example: The /store/ partition is not created because the disk of the appliance is 200GB (minimum requirement is 256GB). When the appliance receives many events, they are buffered in the /store/persistent_queue/ and because the /store partition does not exist, the /store/persistent_queue/ directory can fill the "/" partition.
- External files or temporary files created by commands run by the administrator are not cleaned up after use.
Example: An administrator requires to gather information from the system and imports several files to /root/script/. Later, a QRadar software update SFS file is copied to /root/ to upgrade its environment and the copy is interrupted due to lack of space. Often, administrators forget to delete older not longer required files and the sum of these forgotten files can grow up until it fills up the "/" partition.
Upgrade from 7.2.x to 7.3.x
Since 7.3.1, QRadar uses LVM and the logical volume /dev/mapper/rootrhel-root was designated for the "/" partition alone. QRadar installed on appliances with less than 256GB (minimum disk storage) can cause some partitions to default to the "/" partition.
[root@qradar ~]# df -Th / Filesystem Type Size Used Avail Use% Mounted on /dev/mapper/rootrhel-root xfs 13G 4.1G 8.5G 33% /
=-= Disk Space Report Complete for '/' [ERROR](testmode) - Mountpoint: / has 924140 Kb available and requires 1396312.8 Kb [ERROR](testmode) Pretest had 1 failed checks for free space; - Mountpoint: / has 924140 Kb available and requires 1396312.8 Kb Patch Report for <QRadar host IP>, appliance type: <QRadar appliance type> =-= DiskSpace Report for Mountpoint '/' =-= =-= Available: 924140 Kb, Required: 1396312.8 KB =-= =-= Total RPM Files: 87436 Kb =-= =-= Disk Space Report Complete for '/' <Hostname> : patch test failed.
Was this topic helpful?
30 September 2022