IBM Support

QRadar 7.3.2: Files in /storetmp are removed daily by disk maintenance

Troubleshooting


Problem

A change has been implemented in QRadar 7.3.2 to ensure that files are removed from temporary directories in QRadar 7.3.2. Previously, in QRadar 7.3.0 and 7.3.1 versions an issue prevented diskmaintd.pl utility from removing files in the /storetmp directory. The file removal issue was resolved in QRadar 7.3.2 and administrators who keep files or exports in /storetmp need to move them to a safe location. Disk maintenance runs at 2 A.M nightly and will remove files older than 6 hours old from the /storetmp directory.

Cause

The expected behavior of diskmaintd.pl is to clear /storetmp of any files that are older than 6 hours when the script runs. By default, there is a cronjob that runs diskmaintd.pl daily at 2 AM. Due to an issue in 7.3.0 and 7.3.1 versions around how /store/tmp was symlinked to /storetmp, the directory traversal was not recursively being called, thus the files older than 6 hours would remain on /storetmp.

Environment

QRadar administrators who upgrade to QRadar 7.3.2 with important files in the /storetmp directory.

Resolving The Problem

In QRadar 7.3.2, files older than 6 hours that reside in /storetmp will now be removed by diskmaintd.pl when it runs at 2 AM daily. It is important that administrators back up files, exports, or utilities to another directory in /store before you update to QRadar 7.3.2. Failure to move these files will cause diskmaintd.pl to delete all aged files from the /storetmp directory.

Where should I keep important files?
Administrators can create a location for important data, such as /store/save/, /store/important, or /store/keep/ for exports, utilities, or important files. Creating a customized location to keep files, as this location is not impacted by the disk maintenance script.

What other temporary directories should I avoid using?
/storetmp, /tmp, and /transient should not be used to keep any important files on the system. These locations are used to temporarily store data by QRadar and are routinely cleaned up.

Can I modify diskmaintd to exclude specific directories?
Yes, but this is usually not recommended by QRadar Support. It is typically safer for administrators to create a unique directory in /store for your files as a future update to diskmaintd could potentially override a change you have made. If you need to add a specific file or directory to the exclusion list that should not be removed by disk maintenance, you can edit the /opt/qradar/conf/diskmaintd.conf file to include that file/directory. Any errors in the syntax could cause your files to be deleted.

If you do choose to edit this file and add a protected file/directory, it is recommend that you backup the file before you edit diskmaintd.conf  by making a copy with different extension. For example, the following command would back the original file to the same location with the filename diskmaintd.conf.sav: cp /opt/qradar/conf/diskmaintd.conf  /opt/qradar/conf/diskmaintd.conf.sav
I have further questions about this article
If you have questions or concerns about this article, you can ask in use the Community question text box below, which will open a forum post about this article with your question and display it as part of this article. Optionally, administrators can open a case with QRadar Support.




Related Information

Document Location

Worldwide








Where do you find more information?

 

[{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Component":"Disk Maintenance","Platform":[{"code":"PF043","label":"Red Hat"}],"Version":"7.3.2;7.3.1;7.3.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
28 March 2019

UID

ibm10874848