This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

RSA SA indicates /var/netwitness partition is almost 100% utilization

Go to solution
pranavsankar1
Beginner
Beginner

‎2016-10-11 03:27 AM

Hello Everyone ,

 

When I check df -h on SA head i can see my /var/netwitness partition as 98 %

 

/dev/mapper/VolGroup00-nwhome
                       20G   20G  465M  98% /var/netwitness

 

When I examine the contents of /var/netwitness i can see something like below :


[root SA01 netwitness]# ls -lah
total 5.4G
drwxr-xr-x.  8 root root 4.0K Oct  5 01:21 .
drwxr-xr-x. 22 root root 4.0K Feb 22  2016 ..
drwxr-xr-x.  3 root root 8.0K Oct  4 22:37 123
drwxr-xr-x.  3 root root   35 Aug 19 22:15 appliance
drwxr-xr-x.  6 root root   70 Aug 19 22:15 broker
drwxr-xr-x.  3 root root   18 Apr 26 20:52 database
drwxr-xr-x.  3 root root   60 Sep 30 14:56 ipdbextractor
-rw-------.  1 root root   12 Oct 11 07:19 NwBroker.persist
-rw-r--r--.  1 root root 1.8G Oct  4 21:35 ABC.bz2
-rwxr-xr-x.  1 root root 3.6G Oct  4 22:29 XYZ.zip
drwxr-xr-x.  3 root root   16 Apr 26 20:49 srv

 

I didn't find any files in the /var/netwitness partition that could be consuming nearly 20GB of space.

 

Why i'm seeing 98% partition in df -h output ?

 

Thanks in advance !

 

Regards

Pranav

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
GiuseppeCunsolo
Beginner
Beginner
In response to pranavsankar1

‎2016-10-11 09:35 AM

ls -lah will print the disk occupation of the files in the /var/netwitness folder.

5.4G is basically 1.8G ABC.bz2 + 3.6G XYZ.zip, plus that 8K of 123.

 

You can use the option -R to recursively list subdirectories.

 

Just as an example, in my lab ls prints just 20K. Because I only have a few small files in that folder. 

ls -lah /var/netwitness/

total 20K

 

df -h has a different purpose, it prints disk space usage (disk free). In this case it shows you that out of 20G in total you only have 465M available (free).

 

Hope this helps to understand the output and answers your question "why df -h output and ls -lah looks differ".

View solution in original post

8 REPLIES 8

Go to solution
TwinkleLath
Occasional Contributor Occasional Contributor
Occasional Contributor

‎2016-10-11 06:12 AM

Hi Pranav,

 

Please check the directories appliance and srv that might be consuming more space.

Run below command to check the same:

for i in $(find /var/netwitness/ -type d -xdev -maxdepth 2) ;do du -s $i ; done | sort -nr

0 Likes

Go to solution
pranavsankar1
Beginner
Beginner
In response to TwinkleLath

‎2016-10-11 06:51 AM

Please find the output

 

25950696        /var/netwitness/
7510212 /var/netwitness/10-5-2
6194776 /var/netwitness/srv/www
6194776 /var/netwitness/srv
3777392 /var/netwitness/10-5-2/SA-10-5-2-Update
3735780 /var/netwitness/ipdbextractor
2148848 /var/netwitness/broker
728416  /var/netwitness/appliance
717524  /var/netwitness/appliance/statdb
38744   /var/netwitness/database

0 Likes

Go to solution
TwinkleLath
Occasional Contributor Occasional Contributor
Occasional Contributor
In response to pranavsankar1

‎2016-10-11 06:56 AM

Hi Pranav,

 

So, the 10.5.2 packages are consuming maximum space in /var/netwitness.

0 Likes

Go to solution
pranavsankar1
Beginner
Beginner
In response to TwinkleLath

‎2016-10-11 07:09 AM

Thanks, I'll move that file to any tmp file but why df -h output and ls -lah looks differ ?

 

[root SA01 netwitness]# ls -lah
total 5.4G

 

/dev/mapper/VolGroup00-nwhome
                       20G   20G  465M  98% /var/netwitness

 

Does it really plays a role ?

0 Likes

Go to solution
GiuseppeCunsolo
Beginner
Beginner
In response to pranavsankar1

‎2016-10-11 09:35 AM

ls -lah will print the disk occupation of the files in the /var/netwitness folder.

5.4G is basically 1.8G ABC.bz2 + 3.6G XYZ.zip, plus that 8K of 123.

 

You can use the option -R to recursively list subdirectories.

 

Just as an example, in my lab ls prints just 20K. Because I only have a few small files in that folder. 

ls -lah /var/netwitness/

total 20K

 

df -h has a different purpose, it prints disk space usage (disk free). In this case it shows you that out of 20G in total you only have 465M available (free).

 

Hope this helps to understand the output and answers your question "why df -h output and ls -lah looks differ".

Go to solution
TheBerg
New Contributor
New Contributor
In response to TwinkleLath

‎2016-10-13 11:55 AM

Good Day Twinkle. The message below was intended for a different recipient.

 

 

Scott Bergman

Information Security – Forensic Analyst/eDiscovery

YRC Freight – Overland Park, Kansas.

Office: 913.344.5544

Confidence Delivered.®

Time-Critical<http://www.yrc.com/freight-shipping-services/time-critical-freight.html> / Exhibit<http://www.yrc.com/freight-shipping-services/trade-show-shipping.html> / Cross-Border<http://www.yrc.com/freight-shipping-services/time-critical-freight.html?cid=yrcf_em_mktg_timecrit_3>

 

 

Preview file
2 KB
0 Likes

Go to solution
HongtaeJin
Occasional Contributor Occasional Contributor
Occasional Contributor

‎2016-10-18 03:48 AM

Have you checked core dump files?

Sometimes system core dump files consume lots of space.

0 Likes

Go to solution
TheBerg
New Contributor
New Contributor
In response to HongtaeJin

‎2016-10-18 04:33 AM

Morning Jin. I am not aware of this issue in my environment. Do you have the correct person?

 

 

Sent from OWA on Android

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.