search cancel

Getting a Device is encountering a low disk space on Endpoint Detection and Response (EDR)

book

Article ID: 174590

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform Endpoint Protection with Endpoint Detection and Response

Issue/Introduction

System Health status displays one of the following messages:

  • Device is encountering low disk space on /var drive
  • Device is encountering low disk space on /var/log drive
  • Device is encountering low disk space on root drive

Cause

Most common causes are:

  • VM Resources have not been RESERVED or have been UNRESERVED during operation
  • Database has grown too large because more clients have been added
  • Database is receiving abnormally large number of events
  • System logs are not purging properly that fills the disk

Environment

All versions of EDR and ATP

Resolution

1.  Review - Symantec EDR system messages and recommended actions 

2.  Ensure system resources are RESERVED and not just allocated

3.  Check sizing requirements of Hardware and VM especially when Endpoint Activity Recorder (EAR) has been enabled:

Additional Information

Operating EDR VMs with UNRESERVED resources may corrupt the database; and may cause the EDR to repeatedly crash or not to boot properly.   Hence, the EDR must be redeployed.

Also, EDR VM snapshots are not supported and may result in similar behaviors.