Filesystem containing "/home" directory fills up on Security Analytics Central Manager

book

Article ID: 168408

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction



 

Cause

The /home filesystem can fill up on a Central Manager in some scenarios.

One cause of this is that exported PCAPs and associated zip files are not deleted from /home/apache/pcaps.

This can be diagnosed by running the command "du -skh /home/apache/*" as a user with root privileges to determine if the /home/apache/pcaps folder is taking up all of the filesystem space.

In versions of Security Analytics 7.x prior to v7.1.5, and in the 6.x branch prior to 6.6.11, Central Manager PCAP and zip files in /home/apache/pcaps (from PCAP exports) may not be deleted properly after they are downloaded. Over time, this issue can fill up the filesystem.

Resolution

This issue is resolved in Security Analytics v6.6.11 and 7.1.5 and later releases, which have had a 72-hour pcap cleanup shell and audit log messages added if the home partition is filling up.

Workaround

To remove PCAP and zip files in that directory manually, log in via SSH or at the console as a user with root priviliges and run the following command:
 
# find /home/apache/pcaps/ -regextype posix-egrep -mtime +3 -iregex "(.*\.zip|.*\.pcap)$" -exec rm -f {} \;

This command will delete PCAP and zip files which are more than 72 hours old from /home/apache/pcaps/.