What is the purpose of the /var/log partition in QRadar, and how can I troubleshoot issues with the /var/log partition filling?


The /var/log partition is the partition that contains miscellaneous log files and appropriate subdirectories.

By default, the QRadar disk sentry check runs every 60 seconds and looks for high disk usage across the /var/log partition. If the /var/log partition fills up, the QRadar disk sentry alerts but does not stop the QRadar core services

The most common causes of the /var/log partition filling up is log rotate failing. If a log file grows faster than what log rotate can compress or remove it, it can affect /var/log.

Failed Update Error
When a software update runs, a health check to the /var/log partition is run to ensure the disk space has enough space for the update. If the partition does not have enough space, it fails with a "patch test failed" error. It is advised remediating any disk space issues before the update runs as suggested in the QRadar: Software update checklist for administrators.
Available Space Checks
  Checks if /var/log has enough space
         Not enough space in /var/log: Available Space: 327 MB - File:
         /var/log/qradar.log 13312 MB. This will cause logrotate to fail.
         Free up space in /var/log. You need at least 13512 MB free.

[SUMMARY]  7 successful checkups
[SUMMARY]  1 failed checkup
[SUMMARY]  0 invalid files
[SUMMARY] 15 skipped files

[ERROR](testmode) Cliniq checkup with mode patch has found errors.
[ERROR](testmode) Cliniq has detected unresolved patch-sensitive issues. You must resolve these issues before continuing.
 [INFO](testmode) Set <Hostname> status to 'Patch Test Failed'
[ERROR](testmode) Patching can not continue

Status Summary of Hosts
|Hostname                   |Status             |
|<Hostname>                 |Patch Test Failed  |

Patch Report for <Host IP>, appliance type: 3105
<Hostname> :  patch test failed.

Press enter to continue...
Troubleshooting Disk Space Issues
To determine which files or directories are filling the /var/log partition and how to release space safely, follow the steps in the following articles:

Upgrade from 7.2.x to 7.3.x

Since 7.3.1, QRadar uses LVM and the logical volume /dev/mapper/rootrhel-varlog was designated for the /var/log partition alone and uses its own capacity despite being inside /var. Subdirectories such as /var/log/audit use their own logical volume as separate partitions.

[root@qradar ~]# df -Th /var/log
Filesystem                  Type  Size  Used Avail Use% Mounted on
/dev/mapper/rootrhel-varlog xfs    15G  1.7G   14G  12% /var/log

