Question & Answer
Question
Cause
The /opt partition includes configuration files and application data for QRadar®. Common issues that administrators can experience include undersized partitions, software errors that write unnecessary files to opt, software updates leaving behind files, or application data updated remotely that can consume disk space. By default, the QRadar disk sentry check runs every 60 seconds and looks for high disk usage across the /opt partition. If the /opt partition reaches 95% capacity, it stops the QRadar critical services.
Note: QRadar Support includes a utility to assist users with disk space issues in /opt/qradar/support/partitionDiagnostic.sh. The partitionDiagnostic utility can be run in a test mode to determine what data is being used in /opt that can be removed. This tool is only supported from version 7.3.0 to 7.3.1. If you run the utility on other versions, the following error is displayed:
[root ~]# /opt/qradar/support/partitionDiagnostic
2022/02/18 16:06:00 '741' is not supported, MIN 730, MAX 731
Answer
Quick Links
- 1. Troubleshooting /opt space issues
- 2. Defects around /opt partition
- 3. General information about the sizing of /opt partition
1. Troubleshooting /opt space issues
Most common issues that cause /opt to fill. For specific information about troubleshooting /opt space issues, see the following support content:
This article includes usage for the partitionDiagnostic.sh utility and can be used by any administrator at any QRadar version to assist with the clean-up of files in the /opt directory. Users who upgrade from QRadar version 7.2.8 to 7.3.1 often require this utility after an upgrade due to how partitions are resized and space is limited in the /opt directory.
Technote 21994799 - QRadar: Core files using disk space
When investigating disk space problems with the / partition, you may find that a large number of core files in the /opt/qradar/dca directory is using excessive disk space. These core files are created by X-Force premium feed updates.
It has been identified that changes made to logrotate in QRadar 7.3.1 Patch 6 can cause the /var/log and or the /opt partition to prematurely run out of free space.
2. Defects around /opt partition
This is a summary list of defects encountered on /opt partition:
It has been identified that the monitored partition /opt/qradar/support can run out of free space after an upgrade when a large number of failed replication files exist in that location (their default storage location). The /opt/qradar/ partition has a reduced file space size in 7.3.x and can be filled faster than expected when system issues cause multiple failed replication files in quick succession.
3. General Information about the sizing of /opt partition
Partition requirements and recommendations when upgrading:
During a software upgrade (for software installations only), partition requirements and recommendations are generated and stored in the /root/partition_instructions.txt file. This file is deleted during QRadar setup on the new operating system. If you choose not to use the partitions recommendations, make sure that you meet the partition requirements outlined in the official QRadar documentation.
QRadar 7.3.1 Partition requirements and recommendations documentation
Note: The upgrade mentioned here is when upgrading from 7.2.8 to 7.3.x, as it also upgrades the underlying Operating System. If you are upgrading to 7.3.0, you can use the drop-down in the IBM Documentation linked above to change to the 7.3.0 version.
Linux operating system partition properties for QRadar installations on your own hardware:
If you use your own appliance hardware, you can delete and re-create partitions on your Red Hat Enterprise Linux operating system rather than modify the default partitions.
Note: If you are using a version other than 7.3.2, you can change the drop-down on the IBM Documentation link above to your appropriate version.
Was this topic helpful?
Document Information
Modified date:
13 April 2022
UID
ibm10882070