Security Analytics filesystem basic troubleshooting


Article ID: 168464


Updated On:


Security Analytics


On a Security Analytics Platform capture appliance (not a Central Manager), two filesystems will always be 100% full: "/pfs" and "/etc/solera/flows".

[[email protected] ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda4             4.9G  3.0G  1.6G  66% /
/dev/sda6             2.0G  458M  1.4G  25% /gui
/dev/sda2              68G  5.0G   59G   8% /var
/dev/sda1             1.5G   41M  1.4G   3% /boot
/dev/sda5             4.9G  1.5G  3.2G  32% /ds
tmpfs                  63G  228M   63G   1% /dev/shm
/dev/sda3             2.7T  3.2G  2.5T   1% /home
/dev/sdc1              21T   21T     0 100% /pfs
/dev/sdb1             9.6T  7.9T  1.6T  83% /var/lib/solera/meta1
/dev/sdb2             9.6T  7.9T  1.6T  83% /var/lib/solera/meta2
gaugefs                21T   21T     0 100% /etc/solera/flows

Both /pfs and /etc/solera/flows are virtual filesystems where all space is pre-allocated. They will always show as 100% full when mounted.

If /pfs is not listed in the output of "df" on a capture appliance, the system may not be licensed. As root, run "service solera status" to determine why /pfs is not mounted. If the capture filesystem is not running, that command should return "unlicensed". If it returns any other status, or if assistance with licensing is needed, please contact Blue Coat Support.

If /etc/solera/flows is not listed in the output of "df" and the appliance is not a Central Manager, the gaugefs service is stopped. Please contact Blue Coat Support for assistance.

The index filesystems (/var/lib/solera/meta*) are managed by the indexing system. Once they reach 80% full, the indexer will, as needed, remove old index data in order to keep them less than or equal to 83% full. When these filesystems grow to >83%, the indexer will remove enough old data to lower them back to 80% full.

If an index filesystem shows >83% full, please contact Blue Coat Support for assistance.