search cancel

Getting a Device is encountering a low disk space on Endpoint Detection and Response (EDR)


Article ID: 174590


Updated On:


Endpoint Detection and Response Advanced Threat Protection Platform Endpoint Protection with Endpoint Detection and Response


System Health status displays one of the following messages:

  • Device is encountering low disk space on /var drive
  • Device is encountering low disk space on /var/log drive
  • Device is encountering low disk space on root drive


All versions of EDR and ATP


Most common causes are:

  • VM Resources have not been RESERVED or have been UNRESERVED during operation
  • Database has grown too large because more clients have been added
  • Database is receiving abnormally large number of events
  • System logs are not purging properly that fills the disk


1.  Review - Symantec EDR system messages and recommended actions 

2.  Ensure system resources are RESERVED and not just allocated

3.  Check sizing requirements of Hardware and VM especially when Endpoint Activity Recorder (EAR) has been enabled:

Additional Information

Operating EDR VMs with UNRESERVED resources may corrupt the database; and may cause the EDR to repeatedly crash or not to boot properly.   Hence, the EDR must be redeployed.

Also, EDR VM snapshots are not supported and may result in similar behaviors.