IBM Support

QRadar: About /var partition

Question & Answer


Question

What is the purpose of the /var partition in QRadar, and how can I troubleshoot issues with the /var partition filling?

Answer

The /var partition is the partition that contains files to which the system writes data during its operation. Some examples of these files are system and email log files.

By default, the QRadar disk sentry check runs every 60 seconds and looks for high disk usage across the /var partition. If the /var partition fills up, the QRadar disk sentry alerts but does not stop the QRadar core services

The following are the most common causes of the /var partition filling up:

  • Emails queued and not delivered
  • OS Kernel crash
Failed Update Error
 
When a software update runs, the /var partition is not checked to ensure the disk space has enough space for the update. However, it is advised remediating any disk space issues before the update runs as suggested in the QRadar: Software update checklist for administrators.
Troubleshooting Disk Space Issues
To determine which files or directories are filling the /var partition and how to release space safely, follow the steps in the following articles:

Upgrade from 7.2.x to 7.3.x

In QRadar 7.2.8 and older, the /var partition did not exist on its own. Since 7.3.1, QRadar uses LVM and the logical volume /dev/mapper/rootrhel-var was designated for the /var partition alone. Subdirectories such as /var/log and /var/log/audit now use their own logical volume as separate partitions.

[root@qradar ~]# df -Th /var
Filesystem               Type  Size  Used Avail Use% Mounted on
/dev/mapper/rootrhel-var xfs   5.0G  435M  4.6G   9% /var

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
19 October 2022

UID

ibm16825835

Page Feedback