000031519 - How to troubleshoot a full root partition on RSA Security Analytics appliances

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031519
Applies ToRSA Product Set: Security Analytics
Platform: CentOS
O/S Version: EL5, EL6
IssueThe root ( / ) partition may become 100% full on a Security Analytics appliance for a variety of reasons.
ResolutionThe script below looks only in the root ( / ) partition (-xdev option) and at files larger than 10 MB (this can be changed), and will help identify which file(s) could be taking up the disk space.
[root@ESA-Server ~]# find / -xdev -type f -size +10M -printf '%s %f\n' | sort -n ; for i in $(find / -maxdepth 1 \( ! -name proc \) -type d) ; do echo -n $i": " ; ( find $i -type f | wc -l ) 2>/dev/null ;  done | sort -k2 -n
18519885 initramfs-2.6.32-358.18.1.el6.x86_64.img
19334799 initramfs-2.6.32-504.1.3.el6.x86_64.img
19432098 initramfs-2.6.32-431.23.3.el6.x86_64.img
/lost+found: 0
/media: 0
/mnt: 0
/srv: 0
/home: 10
/temp: 21
/boot: 36
/dev: 49
/bin: 83
/sbin: 172
/root: 193
/lib64: 384
/tmp: 854
/etc: 1013
/selinux: 1437
/opt: 1779
/sys: 7140
/lib: 7287
/var: 18816
/usr: 42310
/: 115063

+10M (Files over 10 MB)
NotesIt's uncommon to have files in folders that are used to mount external filesystems (example NFS in warehouse connector), to check this kind of folder without unmounting them use:

mkdir /newroot && mount --bind / /newroot

Inside /newroot you will be able to check inside the folders that are used as mount point.


- Logdecoder that has a warehouse connector using /saw as NFS mounting point.

- NFS communication timeouts, then WHC will write files in /saw (but now is LOCAL FOLDER!!!).

- After mounting again the NFS the files inside /saw will be shadowed.