|Applies To||RSA Product Set: NetWitness Logs & Network|
RSA Product/Service Type: NetWitness Core
RSA Version/Condition: 10.6.x, 11.x
|Issue||The /tmp partition on an RSA Security Analytics appliance is 100% utilized but no large files are present.|
Issuing the df -h command on the appliance shows the /tmp partition as being full, as seen in the example below.
Examining the /tmp partition with the ls -lah /tmp command shows no large files that account for the utilized disk space.
|Cause||While the /tmp partition is used to store physical files, it is also used to store "virtual files," meaning files that are in use by an active process. If a process doesn't release the file correctly, even though the file is not is not actually on the filesystem structure, the space it used is still allocated.|
In order to confirm that the issue is caused by allocated space from files not properly released from processes, you may issue the following command: lsof | grep /tmp | grep deleted
Issuing the command above will display a list of the files that have since been deleted but are still associated with an active process and claiming disk space. You will also be able to see the amount of space that is being consumed.(See the screenshot in the section below)
After identifying the process (or processes) that is still linked to the files, you will be able to perform one of the following three actions to free the space:
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.
The screenshot below is an example of output generated by the lsof | grep /tmp | grep deleted command that was issued on a Security Analytics server appliance.
|Legacy Article ID||a66756|