The expected behavior of diskmaintd.pl is to clear /storetmp of any files that are older than 6 hours when the script runs. By default, there is a cronjob that runs diskmaintd.pl daily at 2 AM. Due to an issue in 7.3.0 and 7.3.1 versions around how /store/tmp was symlinked to /storetmp, the directory traversal was not recursively being called, thus the files older than 6 hours would remain on /storetmp.
Resolving The Problem
Where should I keep important files?
Administrators can create a location for important data, such as /store/save/, /store/important, or /store/keep/ for exports, utilities, or important files. Creating a customized location to keep files, as this location is not impacted by the disk maintenance script.
What other temporary directories should I avoid using?
Can I modify diskmaintd to exclude specific directories?
Yes, but this is usually not recommended by QRadar Support. It is typically safer for administrators to create a unique directory in /store for your files as a future update to diskmaintd could potentially override a change you have made. If you need to add a specific file or directory to the exclusion list that should not be removed by disk maintenance, you can edit the /opt/qradar/conf/diskmaintd.conf file to include that file/directory. Any errors in the syntax could cause your files to be deleted.
If you do choose to edit this file and add a protected file/directory, it is recommend that you backup the file before you edit diskmaintd.conf by making a copy with different extension. For example, the following command would back the original file to the same location with the filename diskmaintd.conf.sav: cp /opt/qradar/conf/diskmaintd.conf /opt/qradar/conf/diskmaintd.conf.sav
28 March 2019