IBM Support

QRadar: Files in /storetmp are removed daily by disk maintenance

Troubleshooting


Problem

A change implemented in QRadar 7.3.2 and later ensures that files are removed from temporary directories. Previously, in QRadar 7.3.0 and 7.3.1 versions an issue prevented diskmaintd.pl utility from removing files in the /storetmp directory. The file removal issue was resolved in QRadar 7.3.2 and administrators who keep files or exports in /storetmp need to move them to a safe location.

Cause

The expected behavior of diskmaintd.pl is to clear /storetmp of any files that are older than 6 hours when the script runs. By default, there is a cron job that runs diskmaintd.pl daily at 2 AM. Due to an issue in 7.3.0 and 7.3.1 versions around how symlink was created from /store/tmp to /storetmp, the directory traversal was not recursively being called, thus the files older than 6 hours would remain on /storetmp.

Environment

QRadar administrators who upgrade to QRadar 7.3.2 and later with important files in the /storetmp directory.

Resolving The Problem

Since QRadar 7.3.2, files older than 6 hours that reside in /storetmp are removed by diskmaintd.pl when it runs at 2 AM daily. The administrators must back up files, exports, or utilities to another directory in /store before you upgrade QRadar. Failure to move these files causes diskmaintd.pl to delete all aged files from the /storetmp directory.

Where do I keep important files?
Administrators can create a location for important data, such as /store/IBM_Support/, /store/save/, /store/important/, or /store/keep/ for exports, utilities, or important files. Creating a customized location to keep files, as this location is not impacted by the disk maintenance script.
The QRadar Fix Pack got removed from /storetmp what can I do?
Administrators must copy or download the file again. To prevent this situation, the fix pack file can be stored on a customized location in /store such as /store/IBM_Support/, and right before the upgrade activity takes place the fix pack file can be copied to /storetmp.

What other temporary directories must be avoided?
/storetmp, /tmp, and /transient must not be used to keep any important files on the system. These locations are used to temporarily store data by QRadar and are routinely cleaned up.
Can I modify diskmaintd to exclude specific directories?
Yes, but is usually not recommended by QRadar Support. The administrators are advised to use a unique directory in /store for the files as a future update to diskmaintd could potentially override the changes made.
If there is the need to add a specific file or directory to the exclusion list to avoid the removal by disk maintenance, the administrator can edit the /opt/qradar/conf/diskmaintd.conf file to include that file or directory as follows:
Warnings: Any errors in the syntax of the file could cause your files to be deleted. Also, excluding files can cause disk space issues in the /storetmp partition.
 
  1. Create the backup directory.
    mkdir -p /store/IBM_Support/
  2. Make a copy of the current script.
    cp -pfv /opt/qradar/conf/diskmaintd.conf /store/IBM_Support/diskmaintd.conf.bck
  3. Edit the file.
    vi /opt/qradar/conf/diskmaintd.conf

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.2;and future releases"}]

Document Information

Modified date:
26 October 2022

UID

ibm10874848