IBM Support

QRadar SIEM: Partition / almost full

Troubleshooting


Problem

The root partition / is full, or almost full, in QRadar SIEM.

Symptom

df -h /
Filesystem                 Size  Used Avail Use% Mounted on
/dev/mapper/rootrhel-root   13G   11G  1.7G  87% /

Cause

  • A transient partition was never created
  • Customization is causing it to fill
  • Someone is running an expensive command
  • Expensive search is running, or is saved

Resolving The Problem

  1. Verify that transient partition was never created:
    df -h /transient
    Note: If no partition is returned, then no transient partition was created. The recommended method is to reinstall for a software installation. For appliance installation, it's possible the host is an Event Collector. 
  2. Create backup:
    mkdir -p /store/ibm_support/7160856/store 
    cp -p /transient/spillover/queue/ecs-ec-ingress.ecs-ec-ingress/* /store/ibm_support/7160856/ 
    cp -p /store/transient /store/ibm_support/7160856/store
  3. Stop services:
    systemctl stop hostcontext ecs-ec-ingress 
    /opt/qradar/systemd/bin/manual.sh hostcontext enable
  4. Create new transient and link it:
    mkdir /store/transient2 
    mv /transient /store/transient2 
    rm /store/transient 
    mv /store/transient2 /store/transient 
    ln -s /store/transient /transient
  5. Turn services back on:
    /opt/qradar/systemd/bin/manual.sh hostcontext disable 
    systemctl start hostcontext ecs-ec-ingress

Issue with root partition space is now resolved:

df -h /

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"},{"code":"a8m0z000000cwtcAAA","label":"Hardware"},{"code":"a8m0z000000cwszAAA","label":"Install"},{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"ARM Case Number":"TS016679891","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
22 July 2024

UID

ibm17160856