Question & Answer
Question
Answer
The /var/log partition is the partition that contains miscellaneous log files and appropriate subdirectories.
By default, the QRadar disk sentry check runs every 60 seconds and looks for high disk usage across the /var/log partition. If the /var/log partition fills up, the QRadar disk sentry alerts but does not stop the QRadar core services.
The most common causes of the /var/log partition filling up is log rotate failing. If a log file grows faster than what log rotate can compress or remove it, it can affect /var/log.
Available Space Checks
Checks if /var/log has enough space
[FAILURE]
Not enough space in /var/log: Available Space: 327 MB - File:
/var/log/qradar.log 13312 MB. This will cause logrotate to fail.
[REMEDIATION]
Free up space in /var/log. You need at least 13512 MB free.
[SUMMARY] 7 successful checkups
[SUMMARY] 1 failed checkup
[SUMMARY] 0 invalid files
[SUMMARY] 15 skipped files
[ERROR](testmode) Cliniq checkup with mode patch has found errors.
[ERROR](testmode) Cliniq has detected unresolved patch-sensitive issues. You must resolve these issues before continuing.
[INFO](testmode) Set <Hostname> status to 'Patch Test Failed'
[ERROR](testmode) Patching can not continue
Status Summary of Hosts
+---------------------------+-------------------+
|Hostname |Status |
|---------------------------+-------------------|
|<Hostname> |Patch Test Failed |
+---------------------------+-------------------+
Patch Report for <Host IP>, appliance type: 3105
<Hostname> : patch test failed.
Press enter to continue...
Upgrade from 7.2.x to 7.3.x
/dev/mapper/rootrhel-varlog was designated for the /var/log partition alone and uses its own capacity despite being inside /var. Subdirectories such as /var/log/audit use their own logical volume as separate partitions.
Since 7.3.1, QRadar uses LVM and the logical volume
[root@qradar ~]# df -Th /var/log
Filesystem Type Size Used Avail Use% Mounted on
/dev/mapper/rootrhel-varlog xfs 15G 1.7G 14G 12% /var/log
Related Information
Was this topic helpful?
Document Information
Modified date:
19 October 2022
UID
ibm16826607