Sensor disk usage is high.
search cancel

Sensor disk usage is high.

book

Article ID: 409908

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

An alarm has been raised indicating that the Sensor's average disk usage is high. (> 80%)

Environment

SSP 5.1

NDR Sensor 5.1

Cause

High disk usage on the sensor is typically caused by the accumulation of operational data. The most common reasons are:

1. Support bundles: Generating tech-support bundles consumes disk space. If these bundles are not copied off the sensor and deleted, they can fill up the data partitions.

2. Core dumps: In unlikely circumstances, if a service crashes, the system may generate a large core dump file in the `/var/dump` partition for later analysis.

3. Packet captures (PCAPs): Capturing network traffic for troubleshooting can create very large files that are not manageable via the standard CLI.

Resolution

Please follow these troubleshooting steps from the NDR Sensor CLI using admin credentials to diagnose and resolve the issue.

1.Manage CLI accessible files: List the files in the filestore to see if there are any old support bundles. Support bundles are stored here.

List files,

ndr-sensor> get files

 

If you identify large or unnecessary files, you can delete them,

ndr-sensor> del file <filename>

Check for and delete core dump files specifically.

List core-dumps,

ndr-sensor> get core-dumps

Delete core-dumps,

ndr-sensor> del core-dump <core-dump-filename>

Freeing up space by deleting old bundles and dumps is often the quickest way to resolve the issue.

 

2. Identify the full partition: Use the below command to see the usage for all major partitions,

ndr-sensor> get filesystem-stats

Look for the `Use%` column and identify which `Mounted on` location is at or near 100%. Report this information incase a support ticket has to be opened

Sample output :

ndr-sensor-55aba754> get filesystem-stats
Tue Sep 09 2025 UTC 02:03:25.680

Filesystem                      Size  Used Avail Use% Mounted on
tmpfs                           2.0G  4.2M  2.0G   1% /run
/dev/sda4                        33G  9.3G   22G  30% /
tmpfs                           9.7G  4.0K  9.7G   1% /dev/shm
tmpfs                           5.0M     0  5.0M   0% /run/lock
/dev/mapper/sensor-config__bak   14G   24K   14G   1% /config_bak
/dev/mapper/sensor-var+log       42G  4.4G   36G  12% /var/log
/dev/mapper/sensor-image         19G   40K   18G   1% /image
/dev/mapper/sensor-config        14G   56K   14G   1% /config
/dev/mapper/sensor-data          66G  1.7G   61G   3% /data
/dev/mapper/sensor-tmp          3.7G   52K  3.5G   1% /tmp
/dev/mapper/sensor-var+dump      19G   24K   18G   1% /var/dump
/dev/sda3                       943M  7.2M  871M   1% /boot
/dev/sda5                        33G   24K   31G   1% /os_bak
/dev/sda2                       499M  4.0K  499M   1% /boot/efi

Check for any captured debugging PCAPs through the root user,

root@ndr-sensor# ls -lrta /data/suricata/debug_pcaps/

Delete debug pcaps which are not needed.

Note: If the issue still persists, then it is advisable to collect the NDR Sensor support bundle (refer documentation for how to collect support bundle) and raise a support ticket

Powered by Wolken Software