IBM Support

QRadar: About /tmp partition

Question & Answer


Question

What is the purpose of the /tmp partition in QRadar®, and how can I troubleshoot issues with the /tmp partition filling?

Answer

The /tmp partition is used for programs that require temporary files.

By default, the QRadar disk sentry check runs every 60 seconds and looks for high disk usage across the /home partition. If the /tmp partition fills up, the QRadar disk sentry alerts but does not stop the QRadar core services, however it can create other symptoms such as configuration deployment changes due to critical disk space.

User leftover files and mlocate_db temporary files are the most common causes of the /tmp partition filling up. Instead of /tmp, administrators can create a location for important data, such as /store/IBM_Support/, /store/save/, /store/important/, or /store/keep/ for exports, utilities, or important files.

Failed Update Error
 
When a software update runs, the /tmp partition is not checked to ensure the disk space has enough space for the update. However, it is advised remediating any disk space issues before the update runs as suggested in the QRadar: Software update checklist for administrators.
 
Troubleshooting Disk Space Issues
To determine which files or directories are filling the /storetmp partition and how to release space safely, follow the steps in the following articles:

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
19 October 2022

UID

ibm16827777

Page Feedback