EDR: Disk On Server Full Due To Large Files
search cancel

EDR: Disk On Server Full Due To Large Files

book

Article ID: 285120

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • EDR Server services will not start
  • 'df -h' command reports partition(s) with 100% disk space used

Environment

  • EDR Server: All Versions (formerly CB Response)

Cause

Excessive disk space usage from files outside of /var/cb/data directory.

Resolution

  • Remove common large files from EDR server
    • .hprof files (stack traces associated with SOLR crashes):
      1. Check for presence of .hprof files
        • find /var/log/cb -type f -iname "*.hprof.*"
  1. Remove any .hprof files found:
    • rm -f {full path}/*hprof.old
  • Diagnostic files
  1. Check for presence of diagnostic files
    • find / -type f -iname "cbdiag*"
  2. Remove any diagnostic files found:
    • rm -f {full path}/*.cbdiag
  • RPM files
  1. Remove RPM files from yum repository
    • yum clean all
  2. Disable yum caching option:
a. vi /etc/yum.conf file
b. Add or modify following parameter/value: keepcache=0

Additional Information

If disk usage is still near 100%, following command will help determine if SOLR or Modulestore are accounting for disk space usage:
 

du -h /var/cb/data/ --max-depth=1