Question & Answer
The /opt partition is used as directory of add-on application software packages in the file system. Many critical QRadar files and directories exist inside this partition.
By default, the QRadar disk sentry check runs every 60 seconds and looks for high disk usage across the /opt partition. When the /opt partition fills up, the QRadar disk sentry stops the QRadar core services.
The following are the most common causes of the /opt partition filling up:
- Leftover replication files
- Leftover ecs-ec-ingress, ecs-ec, and ecs-ep configuration files from previous versions
- Stalled PIDs preventing the system to provide accurate values
- Manual auto update leftover files
- Third-party packages installed on the system
Upgrade from 7.2.x to 7.3.x
Since 7.3.1, QRadar uses LVM and the logical volume /dev/mapper/rootrhel-opt was designated for the /opt partition. Administrators must be aware of the /opt partition resize after the upgrade from 7.2.8.
[root@qradar ~]# df -Th /opt Filesystem Type Size Used Avail Use% Mounted on /dev/mapper/rootrhel-opt xfs 13G 5.2G 7.4G 42% /opt
Failed Update Error
=-= DiskSpace Report for Mountpoint '/opt' =-= =-= Available: 1735980 Kb, Required: 1932367.2 KB =-= =-= Total Patch Files: 3524 Kb =-= =-= Total RPM Files: 1159000 Kb =-= =-= Directories over 1G on mountpoint /opt to a depth of 3: /opt =-= Size (MB) Directory 10109 /opt 7572 /opt/qradar 4780 /opt/qradar/bin 4597 /opt/qradar/bin/ca_jail 2071 /opt/ibm 1656 /opt/ibm/si 1640 /opt/ibm/si/services 1163 /opt/qradar/conf =-= Files on mountpoint /opt over 1G =-= =-= Disk Space Report Complete for '/opt' <Hostname>: patch test failed.
Was this topic helpful?
30 September 2022