IBM Support

QRadar: About /store partition

Question & Answer


Question

What is the purpose of the root /store partition in QRadar, and how can I troubleshoot issues with the /store partition filling?

Answer

The /store partition is the largest partition in a QRadar appliance. It is used as directory of many critical services that require large space such as the database, configuration deployment files, and all stored events and flows data.

By default, the QRadar disk sentry check runs every 60 seconds and looks for high disk usage across the /store partition. If the /store partition fills up, the QRadar disk sentry stops the QRadar core services

Upgrade from 7.2.x to 7.3.x

QRadar 7.3.0 and older, the /store partition had a fixed partition number, /dev/sda8. Since 7.3.1, QRadar uses LVM and the logical volume /dev/mapper/storerhel-store was designated for /store partition. QRadar deployments upgraded from 7.2.x remained with /dev/sda8 and can be affected by the following defect: APAR IJ41796

[root@qradar ~]# df -Th /store
Filesystem                  Type  Size  Used Avail Use% Mounted on
/dev/mapper/storerhel-store xfs   5.8T  535G  5.2T  10% /store

Disk allocation in /store

QRadar allocates capacity to the /store partition at the installation depending on how many disks are present. For more information about this procedure, see: QRadar: Installing QRadar on appliances with several disks.

When there is not enough space on a single disk, the /store partition can default to the "/" partition and cause disk space issues. To know how to identify this issue, see: QRadar: Troubleshooting disk space usage problems.

Extending the capacity of /store

Extending the /store partition size by using LVM extend or similar SAN technologies is not supported. For supported procedures and other detailed information about this topic, see:

Role of /store in High Availability Clusters.

The partition is considered in the disk calculations for a High Availability Cluster to be created. For other High Availability questions, see: QRadar: High Availability FAQ.

Failed Update Error
When a software update runs, the /store partition is checked to ensure the disk space has enough space for the update. If the partition does not have enough space, it fails with a "patch test failed error".
[INFO](testmode) Checking Disk Space...
[ERROR](testmode) /store has 645428846.200001 Kb needed and only 460660028 Kb available
=-= DiskSpace Report for Mountpoint '/store' =-=
=-= Available: 460660028 Kb,  Required: 645428846.200001 KB =-=
=-= Total Database: 31649308 Kb =-=
=-= Total Patch Files: 16312 Kb =-=
=-= Total RPM Files: 364 Kb =-=
=-= Total Store RPMs: 18427 Kb =-=
=-= Directories over 1G on mountpoint /store to a depth of 3: /store =-=
=-= Size (MB)           Directory
=-= 1410176     /store
=-= 1394063     /store/ariel
=-= 1389302     /store/ariel/events
=-= 912380      /store/ariel/events/records
=-= 472708      /store/ariel/events/payloads
=-= 7473        /store/postgres/data
=-= 7473        /store/postgres
=-= 6828        /store/postgres/data/base
=-= 4215        /store/ariel/events/md
=-= 3543        /store/postgres-qvm/data
=-= 3543        /store/postgres-qvm
=-= 3372        /store/ariel/gv/records
=-= 3372        /store/ariel/gv
=-= 2196        /store/postgres-qvm/data/base
=-= 1429        /store/configservices
=-= 1390        /store/ariel/statistics
=-= 1345        /store/postgres-qvm/data/pg_xlog
=-= Files on mountpoint /store over 1G =-=
=-= 11M /store/docker-data/engine/15780T2/devicemapper/devicemapper/data
=-= 596K /store/docker-data/engine/15780T2/devicemapper/devicemapper/metadata
=-= Disk Space Report Complete for '/store'
<Hostname> :  patch test failed.
Troubleshooting Disk Space Issues
To determine which files or directories are filling the /store partition and how to release space safely, follow the steps in the following articles:

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
30 September 2022

UID

ibm16824097

Page Feedback