IBM Support

QRadar: v7.3.1 patch 6 - Logrotate fails causing /var/log and /opt partitions to run out of free space

How To


Summary

In QRadar v7.3.1 Patch 6, you might have an issue where system and HTTPd log files fail to rotate.

Changes made to logrotate in QRadar 7.3.1 Patch 6 can cause the /var/log and or the /opt partition to prematurely run out of free space.

Note: When monitored partition disk space reaches 95% utilization, certain QRadar processes are automatically shut down, preventing the system from operating properly.

Objective

To resolve the logrotate issue with QRadar v7.3.1 patch 6, you need to re-create the cron job that performs this function.

Environment

QRadar running 7.3.1 patch 6

Steps

Verify the issue

  1. Log in to the QRadar Console CLI as root.

  2. Go to /etc/cron.hourly/ directory. The logrotate file must exist for the log to rotate correctly.

    cd /etc/cron.hourly/
    ls logrotate
  3. If logrotate file does not exist, use the following steps to create it.

Correct the failing log rotate issue

  1. Log in to QRadar Console CLI as root.

  2. Use the following command to run a script that fixes the logrotate issue:

    /opt/qradar/support/fix_cron_hourly_logrotate.sh
  3. If the script runs successfully, you receive the following message stack:

      /opt/qradar/support/fix_cron_hourly_logrotate.sh [INFO] Recreating missing /etc/cron.hourly/logrotate  /opt/qradar/support/fix_cron_hourly_logrotate.sh [INFO] Running newly created /etc/cron.hourly/logrotate  /opt/qradar/support/fix_cron_hourly_logrotate.sh +[INFO] logrotate complete
  4. If the script fails to run, you receive the following message. If the script fails, follow the procedure to manually create the cron job.

      -bash: /opt/qradar/support/fix_cron_hourly_logrotat.sh: No such file or directory  

Manually create the cron job for log rotation

  1. Log in to QRadar Console CLI as root.

  2. Create the file /etc/cron.hourly/logrotate.

    touch /etc/cron.hourly/logrotate
  3. Copy the following text into the /etc/cron.hourly/logrotate:

      /usr/sbin/logrotate -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf  EXITVALUE=$?  if [ $EXITVALUE != 0 ]; then      /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"  fi  exit 0  
  4. Make this file executable:

    chmod u+x /etc/cron.hourly/logrotate
  5. Run the script to immediately rotate logs:

    /etc/cron.hourly/logrotate

Result

The cron job is re-created and the log rotation is immediately run.

Additional Information

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Component":"Qradar Console v7.3.1 patch 6","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.1 patch 6","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
17 June 2022

UID

ibm10738895