On a Security Analytics Platform capture appliance (not a Central Manager), two filesystems will always be 100% full: "/pfs" and "/etc/solera/flows".
[[email protected] ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda4 4.9G 3.0G 1.6G 66% /
/dev/sda6 2.0G 458M 1.4G 25% /gui
/dev/sda2 68G 5.0G 59G 8% /var
/dev/sda1 1.5G 41M 1.4G 3% /boot
/dev/sda5 4.9G 1.5G 3.2G 32% /ds
tmpfs 63G 228M 63G 1% /dev/shm
/dev/sda3 2.7T 3.2G 2.5T 1% /home
/dev/sdc1 21T 21T 0 100% /pfs
/dev/sdb1 9.6T 7.9T 1.6T 83% /var/lib/solera/meta1
/dev/sdb2 9.6T 7.9T 1.6T 83% /var/lib/solera/meta2
gaugefs 21T 21T 0 100% /etc/solera/flowsBoth
/pfs and
/etc/solera/flows are virtual filesystems where all space is pre-allocated. They will always show as 100% full when mounted.
If
/pfs is not listed in the output of "df" on a capture appliance, the system may not be licensed. As root, run "
service solera status" to determine why
/pfs is not mounted. If the capture filesystem is not running, that command should return "unlicensed". If it returns any other status, or if assistance with licensing is needed, please contact Blue Coat Support.
If
/etc/solera/flows is not listed in the output of "df" and the appliance is not a Central Manager, the gaugefs service is stopped. Please contact Blue Coat Support for assistance.
The index filesystems (
/var/lib/solera/meta*) are managed by the indexing system. Once they reach 80% full, the indexer will, as needed, remove old index data in order to keep them less than or equal to 83% full. When these filesystems grow to >83%, the indexer will remove enough old data to lower them back to 80% full.
If an index filesystem shows >83% full, please contact Blue Coat Support for assistance.