Troubleshooting
Problem
Nightly backups fail to run when a remote mount is not reachable or not readable.
Warning: If you use NFS or a Windows share for offboard storage, your system can lock and cause an outage. This practice is not supported by IBM QRadar. If you choose to use NFS anyway, NFS can be used only for daily backup data, such as the /store/backup directory. You cannot use NFS for storing active data, which includes the PostgreSQL and ariel databases. If you do use NFS, it might cause database corruption or performance issues.
Warning: If you use NFS or a Windows share for offboard storage, your system can lock and cause an outage. This practice is not supported by IBM QRadar. If you choose to use NFS anyway, NFS can be used only for daily backup data, such as the /store/backup directory. You cannot use NFS for storing active data, which includes the PostgreSQL and ariel databases. If you do use NFS, it might cause database corruption or performance issues.
Symptom
A system notification is received for "Unable to execute backup request" on the affected managed host.
Environment
QRadar Deployments with remote mounts.
Diagnosing The Problem
Connect to the affected host, review the qradar.error to determine the affected remote partition.
- Use SSH to log in to the QRadar Console as the root user.
- Optional. SSH to the affected managed host.
- Review the /var/log/qradar.log and confirm the presence of the error described in the Symptom section:
Output example:grep -i "Unable to determine available disk space" /var/log/qradar.log[hostcontext.hostcontext] [Scheduled Backup] com.q1labs.hostcontext.backup.BackupRecoveryEngine: [ERROR] [NOT:0000003000][xx.xx.xx.xx/- -] [-/- -]Unable to determine available disk space, aborting backup - Use the following command to confirm the use of remote mounts:
mount -vNote: Remote mounts are displayed with an IP or FQDN.
Result
External storage mount points are displayed.
Resolving The Problem
Administrators are encouraged to read the Offboard storage overview and Backup and recovery sections of the QRadar Administration Guide.
To resolve the problem, unmount the conflicting remote partition and test taking an on-demand backup.
- Use SSH to log in to the QRadar Console as the root user.
- Optional. SSH to the affected managed host.
- Test the availability of the remote directories. All commands must succeed.
cd /path_to_remote_directory/ touch test.txt echo "remote test" > test.txt ls test.txt rm -fv test.txtOutput example:[root@hostname~]# cd /store/backup-test/ [root@hostname backup-test]# touch test.txt [root@hostname backup-test]# echo "remote test" > test.txt [root@hostname backup-test]# ls test.txt test.txt [root@hostname backup-test]# rm -fv test.txt removed 'test.txt' - Unmount all remote mount points that failed in step 3. Change the following command for each remote mount:
umount -f -l <path_to_remote_directory> - Take an on-demand backup. For detailed instructions to do so, see Creating an on-demand configuration backup archive.
- Verify the on-demand backup file is stored in /store/backup.
Result
The on-demand configuration backup completes successfully. Before mounting the remote directories again, administrators must ensure only supported remote storage is configured and reachable.
If the backup continues to fail with the same error contact QRadar Support for assistance.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
30 November 2022
UID
ibm16841513