QRadar: About /var/log/audit partition

Question & Answer

Question

What is the purpose of the /var/log/audit partition in QRadar, and how can I troubleshoot issues with the /var/log/audit partition filling?

Answer

The /var/log/audit partition is the partition that contains audit logs of the system, searches, and API calls.

By default, the QRadar disk sentry check runs every 60 seconds and looks for high disk usage across the /var/log/audit partition. If the /var/log/audit partition fills up, the QRadar disk sentry alerts but does not stop the QRadar core services.

The most common causes of the /var/log/audit partition filling up is log rotate failing. If a log file grows faster than what log rotate can compress or remove it, it can affect /var/log/audit.

Failed Update Error

When a software update runs, a health check to the /var/log/audit partition is run to ensure the disk space has enough space for the update. If the partition does not have enough space, it fails with a "patch test failed" error. It is advised remediating any disk space issues before the update runs as suggested in the QRadar: Software update checklist for administrators.

Available Space Checks
  Checks if /var/log has enough space
     [FAILURE]
         Not enough space in /var/log/audit: Available Space: 94 MB - File:
         /var/log/audit/auditd.log.5 2800 MB. This will cause logrotate to
         fail.
        [REMEDIATION]
         Free up space in /var/log/audit. You need at least 3000 MB free.

[SUMMARY]  7 successful checkups
[SUMMARY]  1 failed checkup
[SUMMARY]  0 invalid files
[SUMMARY] 15 skipped files

[ERROR](testmode) Cliniq checkup with mode patch has found errors.
[ERROR](testmode) Cliniq has detected unresolved patch-sensitive issues. You must resolve these issues before continuing.
 [INFO](testmode) Set <Hostname> status to 'Patch Test Failed'
[ERROR](testmode) Patching can not continue

Status Summary of Hosts
+---------------------------+-------------------+
|Hostname                   |Status             |
|---------------------------+-------------------|
|<Hostname>                 |Patch Test Failed  |
+---------------------------+-------------------+



Patch Report for <Host IP>, appliance type: 3105
<Hostname> :  patch test failed.

Press enter to continue...

Troubleshooting Disk Space Issues

To determine which files or directories are filling the /var/log/audit partition and how to release space safely, follow the steps in the following articles:

Upgrade from 7.2.x to 7.3.x

Since 7.3.1, QRadar uses LVM and the logical volume /dev/mapper/rootrhel-varlogaudit was designated for the /var/log/audit partition alone and uses its own capacity despite being inside /var and /var/log.

[root@qradar ~]# df -Th /var/log/audit
Filesystem                       Type  Size  Used Avail Use% Mounted on
/dev/mapper/rootrhel-varlogaudit xfs   3.0G  167M  2.9G   6% /var/log/audit

Related Information

QRadar Disk Space 101

QRadar: Troubleshooting disk space usage problems

QRadar: /var/log and /var/log/audit fills to capacity due to logrotate issue

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Tips

QRadar: About /var/log/audit partition

Question & Answer

Question

Answer

Upgrade from 7.2.x to 7.3.x

Related Information

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?