IBM Support

QRadar: About /storetmp partition

Question & Answer


Question

What is the purpose of the /storetmp partition in QRadar, and how can I troubleshoot issues with the /storetmp partition filling?

Answer

The /storetmp partition is used as a temporary location for storing configuration files used by the various processes in QRadar. This partition is the best location to copy SFS files to a QRadar system.

By default, the QRadar disk sentry check runs every 60 seconds and looks for high disk usage across the /storetmp partition. If the /storetmp partition fills up, the QRadar disk sentry stops the QRadar core services

Upgrade from 7.2.x to 7.3.x

In QRadar 7.2.8 and older, the /storetmp partition did not exist on its own, and it was presented as /store/tmp. Since 7.3.1, QRadar uses LVM and the logical volume /dev/mapper/rootrhel-storetmp was designated for /storetmp partition, which is now a partition with a linked to /store/tmp.

[root@qradar ~]# ll /store | grep tmp
lrwxrwxrwx  1 nobody   nobody      10 Jun 28  2019 tmp -> /storetmp/
This link is important in QRadar so that any data written to /store/tmp fills /storetmp as an individual partition.

Disk maintenance in /storetmp

Since QRadar 7.3.2, the diskmaintd.pl utility runs every 24 hours and removes data in /storetmp that is not related to QRadar. For more information about this procedure, see: QRadar: Files in /storetmp are removed daily by disk maintenance.

Failed Update Error
When a software update runs, the /storetmp partition is checked to ensure the disk space has enough space for the update. If the partition does not have enough space, it fails with a "patch test failed error". It is advised remediating any disk space issues before the update runs as suggested in the QRadar: Software update checklist for administrators.
 [INFO](testmode) Checking Disk Space...
[ERROR](testmode) /storetmp has 1571635.2 Kb needed and only 996688 Kb available
[ERROR](testmode) Usage Report:

=-= DiskSpace Report for Mountpoint '/storetmp' =-=
=-= Available: 996688 Kb,  Required: 1571635.2 KB =-=

=-= Directories over 1G on mountpoint /storetmp to a depth of 3: /storetmp =-=
Size (MB)               Directory
14339   /storetmp
14337   /storetmp/test

=-= Files on mountpoint /storetmp over 1G =-=
15G /storetmp/test/14GBfile

=-= Disk Space Report Complete for '/storetmp'

[ERROR](testmode) - Mountpoint: /storetmp has 996688 Kb available and requires 1571635.2 Kb

[ERROR](testmode) Pretest had 1 failed checks for free space;
 - Mountpoint: /storetmp has 996688 Kb available and requires 1571635.2 Kb

[ERROR](testmode) sql pretest errored, halting.- Mountpoint: /storetmp has 996688 Kb available and requires 1571635.2 Kb

 [INFO](testmode) Set <Hostname> status to 'Patch Test Failed'
[ERROR](testmode) Patching can not continue
Troubleshooting Disk Space Issues
To determine which files or directories are filling the /storetmp partition and how to release space safely, follow the steps in the following articles:

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
30 September 2022

UID

ibm16825469

Page Feedback