Question & Answer
Question
Answer
The /var/log/audit partition is the partition that contains audit logs of the system, searches, and API calls.
By default, the QRadar disk sentry check runs every 60 seconds and looks for high disk usage across the /var/log/audit partition. If the /var/log/audit partition fills up, the QRadar disk sentry alerts but does not stop the QRadar core services.
The most common causes of the /var/log/audit partition filling up is log rotate failing. If a log file grows faster than what log rotate can compress or remove it, it can affect /var/log/audit.
Available Space Checks
Checks if /var/log has enough space
[FAILURE]
Not enough space in /var/log/audit: Available Space: 94 MB - File:
/var/log/audit/auditd.log.5 2800 MB. This will cause logrotate to
fail.
[REMEDIATION]
Free up space in /var/log/audit. You need at least 3000 MB free.
[SUMMARY] 7 successful checkups
[SUMMARY] 1 failed checkup
[SUMMARY] 0 invalid files
[SUMMARY] 15 skipped files
[ERROR](testmode) Cliniq checkup with mode patch has found errors.
[ERROR](testmode) Cliniq has detected unresolved patch-sensitive issues. You must resolve these issues before continuing.
[INFO](testmode) Set <Hostname> status to 'Patch Test Failed'
[ERROR](testmode) Patching can not continue
Status Summary of Hosts
+---------------------------+-------------------+
|Hostname |Status |
|---------------------------+-------------------|
|<Hostname> |Patch Test Failed |
+---------------------------+-------------------+
Patch Report for <Host IP>, appliance type: 3105
<Hostname> : patch test failed.
Press enter to continue...
Upgrade from 7.2.x to 7.3.x
/dev/mapper/rootrhel-varlogaudit was designated for the /var/log/audit partition alone and uses its own capacity despite being inside /var and /var/log.
Since 7.3.1, QRadar uses LVM and the logical volume
[root@qradar ~]# df -Th /var/log/audit
Filesystem Type Size Used Avail Use% Mounted on
/dev/mapper/rootrhel-varlogaudit xfs 3.0G 167M 2.9G 6% /var/log/audit
Related Information
Was this topic helpful?
Document Information
Modified date:
19 October 2022
UID
ibm16826611