IBM Support

QRadar: Resolving high disk usage problems for /var/log partition

Question & Answer


What troubleshooting steps can be used to help resolve high disk usage situations on the /var/log/ partition?


The /var/log partition is a storage area for QRadar and system log files. Some of the common logs on this partition are qradar.log, qradar.error, qradar-ha.log, messages, and httpd.log.

The partition size and type varies based on the appliance type (Console, Event Processor, etc.), model (newer Console model has larger storage), hardware, software installation (customer appliance) or VM, and QRadar version.

By default, the QRadar disk sentry check runs every 60 seconds and looks for high disk usage across the /var/log partition. If the /var/log partition fills up to critical levels (95%), it will not stop the QRadar critical services as some other partitions would.

To find out what files or directories are filling up the /var/log partition, see the Troubleshooting Disk Space Problems Technote: 



Quick Links


1. Troubleshooting /var/log space issues

These are the most common issues that cause /var/log to fill. For specific information about troubleshooting /var/log space issues, see the following Technotes:

Logrotate script fails to move the file needing rotated from /var/log/ to /var/log/qradar.old/ with a .1 extension. This is due to there already being an uncompressed file with a .1 extension in any of these folders.

It has been identified that changes made to logrotate in QRadar 7.3.1 Patch 6, where the logrotate file is missing from /etc/cron.hourly/, can cause the /var/log to run out of free space prematurely.

Due to a partition crossing maximum threshold, deploy changes fails to start and returns an error message popup window with message "Error performing deployment. See logs for details"


2. Defects around /var/log partition

This is a summary list of the common defects encountered on the /var/log partition:

It has been identified that /var/log/ on high availability secondary appliances can fill due to the /var/log/systemStabMon directories not being rotated.


3. General Information about the sizing of /var/log partition

Partition requirements and recommendations when upgrading:

During a software upgrade (for software installations only), partition requirements and recommendations are generated and stored in the /root/partition_instructions.txt file. This file is deleted during QRadar setup on the new operating system. If you choose not to use the partitions recommendations, make sure that you meet these partition requirements.

Note:  The upgrade mentioned here is when upgrading from 7.2.8 to 7.3.x, as it also upgrades the underlying Operating System. If you are upgrading to 7.3.0, you can use the drop-down in the IBM Knowledge Center linked above to change to the 7.3.0 version.

Linux operating system partition properties for QRadar installations on your own hardware:

If you use your own appliance hardware, you can delete and re-create partitions on your Red Hat Enterprise Linux operating system rather than modify the default partitions.

Note:  Once on the IBM Knowledge Center, you can change version from drop down for 7.2.8/7.3.0/7.3.1


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
07 January 2021