The auditd daemon is monitoring a highly active directory, which has minimal security exposure. This can also be caused by very large files in the /var/log/prelert directory (usually in the elasticsearch subdirectory).
The main postgres database resides in /var/lib/pgsql. If the database has filled up all available space in /var, it will cause issues with authentication and other basic functions. Typically the /var partition is 68GB in size. It is possible that there are log files that are also filling up the partition. It's good to check these commands to see how large certain directories are:
du -sh /var/log
du -sh /var/lib/pgsql
If the space is being taken up by log files such as the /var/log/messages file or audit files in /var/log/audit, you can temporarily move them to the /home directory if needed to free up space.
NOTE: This procedure is not recoverable. Once you truncate a table in the database, you cannot retrieve it. Truncating the wrong table can render your appliance useless. Unless you are already familiar with these different tables, please contact Technical Support to validate that truncating tables is the right solution.
If the largest table is report_items, run:
su - postgres
psql -d dsweb
truncate table report_items cascade;
scm db summary dsweb size
Note: If the meta_info table is the largest, run the command "truncate table meta_info cascade;".
Another cause for /var filling is the audit.log collecting the changes made in Anomaly Detection. Only perform these steps if you are running Security Analytics version 7.2.1 or earlier. This setting has been fixed in Security Analytics version 7.2.2 and greater.
-A exit,never -F arch=b64 -F dir=/var/spool/prelert
-A exit,never -F arch=b64 -F dir=/opt/prelert/prelert_home/cots/elasticsearch
To enable proper audit.log rotation:
If the large files are in the /var/log/prelert directory, first confirm whether Anomaly Detection is enabled by going to the Settings > Data Enrichment > Data Enrichment Profiles section. If Anomaly Detection is enabled, the profile selected will be "Full Data Enrichment with Anomaly detection". This was the default setting for several versions of Security Analytics and is a feature that you may not realize is enabled. You can disable Anomaly Detection by choosing the "Full Data Enrichment (No Anomaly Detection)" profile. It should automatically clean up the files and logs in /var/log/prelert/elasticsearch, but if it does not, the files can manually be deleted.