QRadar: About /opt partition

What is the purpose of the root /opt partition in QRadar, and how can I troubleshoot issues with the /opt partition filling?


The /opt partition is used as directory of add-on application software packages in the file system. Many critical QRadar files and directories exist inside this partition.

By default, the QRadar disk sentry check runs every 60 seconds and looks for high disk usage across the /opt  partition. When the /opt partition fills up, the QRadar disk sentry stops the QRadar core services

The following are the most common causes of the /opt partition filling up:

  • Leftover replication files
  • Leftover ecs-ec-ingress, ecs-ec, and ecs-ep configuration files from previous versions
  • Stalled PIDs preventing the system to provide accurate values
  • Manual auto update leftover files
  • Third-party packages installed on the system

Upgrade from 7.2.x to 7.3.x

Since 7.3.1, QRadar uses LVM and the logical volume /dev/mapper/rootrhel-opt was designated for the /opt partition. Administrators must be aware of the /opt partition resize after the upgrade from 7.2.8.

[root@qradar ~]# df -Th /opt
Filesystem               Type  Size  Used Avail Use% Mounted on
/dev/mapper/rootrhel-opt xfs    13G  5.2G  7.4G  42% /opt

Failed Update Error

When a software update runs, the /opt partition is checked to ensure the disk space has enough space for the update. If the partition does not have enough space, the software update fails and reports which directories and files are the largest.
=-= DiskSpace Report for Mountpoint '/opt' =-=

=-= Available: 1735980 Kb,  Required: 1932367.2 KB =-=
=-= Total Patch Files: 3524 Kb =-=
=-= Total RPM Files: 1159000 Kb =-=
=-= Directories over 1G on mountpoint /opt to a depth of 3: /opt =-=

Size (MB)     Directory
10109         /opt
7572          /opt/qradar
4780          /opt/qradar/bin
4597          /opt/qradar/bin/ca_jail
2071          /opt/ibm
1656          /opt/ibm/si
1640          /opt/ibm/si/services
1163          /opt/qradar/conf

=-= Files on mountpoint /opt over 1G =-=

=-= Disk Space Report Complete for '/opt'
<Hostname>:  patch test failed.
Troubleshooting Disk Space Issues
To determine which files or directories are filling the /opt partition and how to release space safely, follow the steps in the following articles:

