IBM Security QRadar

 View Only
  • 1.  7.3.1 patch 6 and the /opt partition being too small

    Posted Tue November 06, 2018 10:37 AM
    ​In our install, the IBM upgrade script to install 7.3.1 resized partitions and left /opt so small that we get nightly disk warnings of 90+% utilization.  IBM admitted this was a known issue with their upgrade process.  They further mentioned that the partition size was manually settable as part of that process.

    So, my question is, can you resize partitions when installing patch 6? I hear it upgrades the RHEL OS to 7.5 from 7.3, so I am hoping there is a supported option to do that as there apparently was in the 7.3.1 upgrade.

    I would add the following so that everyone reading knows we have already mitigated the small partition issue as much as possible. The /opt partition issue is a known issue that has been reported by others to IBM.  There is a partial fix to redirect part of the /opt mount to another partition (/store). We have implemented this,  removed all possible files from /opt but we still get the warning.  Per IBM support (I have had two tickets on this issue), the only fix is a flatten and reinstall.  This affects our SIEM console as well as other appliances, and I am not  eager to relocate 7 plus Terabytes of Ariel data by hand so I can flatten and reinstall without losing history. I am  hoping there is an option in the patch to fix this. Any help would be appreciated.

    ------------------------------
    Daniel Sichel
    CMC, Fresno Ca.
    ------------------------------


  • 2.  RE: 7.3.1 patch 6 and the /opt partition being too small

    Posted Tue November 13, 2018 02:55 PM

    Daniel,

    I believe that QRadar development just released a support script via the weekly auto updates in the /opt/qradar/support directory that can help identify and clean up partitions and remove unnecessary files. It is called partitionDiagnostic.

    I haven't run this myself yet, but last time I talked with someone on this issue the goal of the utility was to:

    1. It creates a symlink for X-Force database information to move data to /store/dca where there is more default space.
    2. Reviews rpm files that are added by patch versions that are no longer required, for example: older versions of ecs-ec-ingress.

    What you can do is to use this utility with the -n flag which is a dry-run option to see what this utility is going to clean up. Here is the output for the command flags that can be used by the utility.

    [root@lab_support]# ./partitionDiagnostic
    This script is designed to clean up unused service versions and free up partitions clearing away any unused data.
    
    Usage:
    partitionDiagnostic [flags]
    
    Flags:
    -d, --delete Delete the files and folders
    -p, --dir string scan partition for large unused files :: future feature not available yet (default "/opt/")
    -n, --dry-run Don't actually remove anything, just show what would be done.
    -h, --help help for partitionDiagnostic
    -s, --save-delete Backup all the Files and Folders, before the deletion, will fail if the backups do NOT complete


    You could potentially use LVM to increase the size of /opt to get more space, but there is a utility that might help you clean up this data without having to touch your partitions. Take a look at what we are likely to clean up using the dry-run option and then if you need extra assistance with disk issues and space in /opt, you can talk to support and open a case (https://ibm.com/mysupport).

    Take a look at what I wrote here and let me know if you have follow-up questions.
    ~ Jonathan



    ------------------------------
    Jonathan Pechta
    ------------------------------



  • 3.  RE: 7.3.1 patch 6 and the /opt partition being too small

    Posted Wed November 14, 2018 08:35 AM

    That is great news! I will give it a run through and see how it does.  Thank you for pointing that out, this could be a real life saver, I was not looking forward to flattening and re-installing my SIEM Console even a little!

     

    Daniel Sichel, Info Security Analyst, Sr.,CISSP #422810

    Community Medical Centers

    Corporate Compliance Office – Information Systems Security

    1540 E. Shaw, Suite 101, Fresno Cal. 93710

    Phone: (559) 724-4265 ext. 24265 | Fax: 559-724-4271

    Cell: (559) 230-9444

    dsichel@communitymedical.org

     

     



    ------------------------------- WARNING/CONFIDENTIAL: -------------------------------

    This email, including attachments, may contain information that is privileged, confidential,
    and/or exempt from disclosure under applicable law (including, but not limited to, protected
    health information). It is not intended for transmission to, or receipt by, any unauthorized
    persons. If the reader of this message is not the intended recipient you are hereby notified
    that any dissemination, distribution or copying of this communication is strictly prohibited.
    If you believe this email was sent to you in error, do not read it. Reply to the sender informing
    them of the error and then destroy all copies and attachments of the message from your system.
    Thank you.





  • 4.  RE: 7.3.1 patch 6 and the /opt partition being too small

    Posted Wed November 14, 2018 12:45 PM

    Daniel,

    I would recommend that you run the app and if you need assistance cleaning up the /opt partition that you contact us. We are here to help out, but if you have any follow-up questions, feel free to ask.

    Support can certainly assist with any disk space issues you might have IBM Support.



    ------------------------------
    Jonathan Pechta
    -
    QRadar Support Content Lead
    ------------------------------