File system partitions reach 95% when the data retention period settings are too high or
the available storage is insufficient for the rate at which IBM
QRadar receives data. If you
reconfigure your retention bucket storage settings, the storage across your entire QRadar deployment is
affected.
Procedure
-
Identify and remove older debug or patch files in the / file
system.
-
Reduce disk usage on the /store file system.
-
Choose one of the following options:
- Remove the oldest data from the /store/ariel/events file
system.
- Reduce your data retention period by adjusting the default retention bucket storage
settings. For more information, see the IBM
QRadar Administration Guide.
- If the /store file is full, identify which log sources you can retain
for shorter periods. Use the retention buckets to manage the log sources. For more information, see
the IBM
QRadar Administration Guide.
- Consider an offboard storage solution such as iSCSI or Fibre Channel. For more information,
see the Offboard Storage Guide.
- If the /var/log file system reaches 100% capacity, QRadar does not shut down.
Other issues might cause your log files to grow faster than expected.