IBM Support

QRadar: About /var/log/audit partition

Question & Answer


What is the purpose of the /var/log/audit partition in QRadar, and how can I troubleshoot issues with the /var/log/audit partition filling?


The /var/log/audit partition is the partition that contains audit logs of the system, searches, and API calls.

By default, the QRadar disk sentry check runs every 60 seconds and looks for high disk usage across the /var/log/audit partition. If the /var/log/audit partition fills up, the QRadar disk sentry alerts but does not stop the QRadar core services

The most common causes of the /var/log/audit partition filling up is log rotate failing. If a log file grows faster than what log rotate can compress or remove it, it can affect /var/log/audit.

Failed Update Error
When a software update runs, a health check to the /var/log/audit partition is run to ensure the disk space has enough space for the update. If the partition does not have enough space, it fails with a "patch test failed" error. It is advised remediating any disk space issues before the update runs as suggested in the QRadar: Software update checklist for administrators.
Available Space Checks
  Checks if /var/log has enough space
         Not enough space in /var/log/audit: Available Space: 94 MB - File:
         /var/log/audit/auditd.log.5 2800 MB. This will cause logrotate to
         Free up space in /var/log/audit. You need at least 3000 MB free.

[SUMMARY]  7 successful checkups
[SUMMARY]  1 failed checkup
[SUMMARY]  0 invalid files
[SUMMARY] 15 skipped files

[ERROR](testmode) Cliniq checkup with mode patch has found errors.
[ERROR](testmode) Cliniq has detected unresolved patch-sensitive issues. You must resolve these issues before continuing.
 [INFO](testmode) Set <Hostname> status to 'Patch Test Failed'
[ERROR](testmode) Patching can not continue

Status Summary of Hosts
|Hostname                   |Status             |
|<Hostname>                 |Patch Test Failed  |

Patch Report for <Host IP>, appliance type: 3105
<Hostname> :  patch test failed.

Press enter to continue...
Troubleshooting Disk Space Issues
To determine which files or directories are filling the /var/log/audit partition and how to release space safely, follow the steps in the following articles:

Upgrade from 7.2.x to 7.3.x

Since 7.3.1, QRadar uses LVM and the logical volume /dev/mapper/rootrhel-varlogaudit was designated for the /var/log/audit partition alone and uses its own capacity despite being inside /var and /var/log.

[root@qradar ~]# df -Th /var/log/audit
Filesystem                       Type  Size  Used Avail Use% Mounted on
/dev/mapper/rootrhel-varlogaudit xfs   3.0G  167M  2.9G   6% /var/log/audit

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
19 October 2022