IBM Support

QRadar SOAR: Disk space notifications

Question & Answer


Question

Why aren't disk space notifications sent at times outside of a schedule, when disk space is 90% used?

Cause

Disk usage is checked and an email sent on a schedule as part of the pgbackrest backup process. It is not designed to be a dynamic check and is not an alternative to server monitoring.

Answer

When disk usage is 90% or more, an email notification is sent to those who have access to the System Settings page. These are users who have been configured with the sysadmin role.
Subject: Alert! IBM Security QRadar SOAR platform may run out of disk space
Disk usage is over 90% on hxxps://soar[.]domain[.]com. Action must be taken to prevent serious system problems.
Disk Mount Point: /
Total Space: 140G
Used Space: 125G
Available Space: 16G
Used Percentage: 90%
You can grant users with the sysadmin role using a resutil command.
sudo resutil newuser -email "<user_account>" -org "<org_name>" -sysadmin
The percentage threshold can be configured by changing diskWarningThreshold.
You can also include users who do not have the sysadmin role.
No email notifications are sent when setting disableWarningNoticeEmail=1.
sudo cat /usr/share/co3/conf/db_regular_check.properties
regularBackupCpu=1
diskWarningThreshold=90
disableWarningNoticeEmail=0
#warningNoticeEmail=user1@example.com,user2@example.com

The cron task that invokes resCheckDatabaseDiskUsage runs at 9:00 and 21:00 each day. It is at these times the disk is checked.

sudo cat /etc/cron.d/ibm-security-soar
MAILTO=''
1 0 * * 0 root /usr/bin/resBackupDatabase full
1 0 * * 1-6 root /usr/bin/resBackupDatabase incremental
0 9,21 * * * root /usr/bin/resCheckPgbackrestStatus
0 9,21 * * * root /usr/bin/resCheckDatabaseDiskUsage
If disk usage exceeds the diskWarningThreshold at times other than 09:00 and 21:00 no email notification is sent.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z0000001jmrAAA","label":"Resilient Core-\u003ENotifications"}],"ARM Case Number":"TS016267086","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
22 May 2024

UID

ibm17154590

Page Feedback