IBM Support

QRadar: Resolving high disk usage problems for /opt partition

Question & Answer


What troubleshooting steps can be used to help resolve high disk usage situations on the /opt partition?


The /opt partition includes configuration files and application data for QRadar®. Common issues that administrators can experience include undersized partitions, software errors that write unnecessary files to opt, software updates leaving behind files, or application data updated remotely that can consume disk space. By default, the QRadar disk sentry check runs every 60 seconds and looks for high disk usage across the /opt partition. If the /opt partition reaches 95% capacity, it stops the QRadar critical services. 

Note: QRadar Support includes a utility to assist users with disk space issues in /opt/qradar/support/ The partitionDiagnostic utility can be run in a test mode to determine what data is being used in /opt that can be removed. This tool is only supported from version 7.3.0 to 7.3.1. If you run the utility on other versions, the following error is displayed:

[root ~]# /opt/qradar/support/partitionDiagnostic
2022/02/18 16:06:00 '741' is not supported, MIN 730, MAX 731



Quick Links


1. Troubleshooting /opt space issues

Most common issues that cause /opt to fill. For specific information about troubleshooting /opt space issues, see the following support content:

It has been identified that changes made to logrotate in QRadar 7.3.1 Patch 6 can cause the /var/log and or the /opt partition to prematurely run out of free space.    


2. Defects around /opt partition

This is a summary list of defects encountered on /opt partition:

It has been identified that the monitored partition /opt/qradar/support can run out of free space after an upgrade when a large number of failed replication files exist in that location (their default storage location). The /opt/qradar/ partition has a reduced file space size in 7.3.x and can be filled faster than expected when system issues cause multiple failed replication files in quick succession.


3. General Information about the sizing of /opt partition

Partition requirements and recommendations when upgrading:

During a software upgrade (for software installations only), partition requirements and recommendations are generated and stored in the /root/partition_instructions.txt file. This file is deleted during QRadar setup on the new operating system. If you choose not to use the partitions recommendations, make sure that you meet the partition requirements outlined in the official QRadar documentation.

Note:  The upgrade mentioned here is when upgrading from 7.2.8 to 7.3.x, as it also upgrades the underlying Operating System. If you are upgrading to 7.3.0, you can use the drop-down in the IBM Documentation linked above to change to the 7.3.0 version.

Linux operating system partition properties for QRadar installations on your own hardware:

If you use your own appliance hardware, you can delete and re-create partitions on your Red Hat Enterprise Linux operating system rather than modify the default partitions.

Note:  If you are using a version other than 7.3.2, you can change the drop-down on the IBM Documentation link above to your appropriate version.


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF043","label":"Red Hat"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
13 April 2022