do a "df -h" and check the following:
- Are the external storage arrays configured and mounted to:
/var/netwitness/logdecoder
/var/netwitness/logdecoder/index
/var/netwitness/logdecoder/sessiondb
/var/netwitness/logdecoder/metadb
/var/netwitness/logdecoder/packetdb
* There may be additional mounts depending on how many DACs/PVs are attached
If these are not present, then you are writing DATA to the /var/netwitness partition and yes it will run out of room real quick.
If this is the case, and there is available storage arrays that are just not mounted, (check by running lvscan), then make sure the mounts are present in /etc/fstab file.
If they are not configured, you need external storage to write the DATA to, if this is Virtual Install, you need to allocate space for these file systems and create them.
- If this is not the case, then do as Naushad mentioned, run:
du -sh /var/netwitness/*
and see what is using the storage, note, stop the logdecoder service and unmount the above filesystems (in reverse order) and then run the "du -sh" command again and see if there is alot of used space under /var/netwitness/logdecoder, it's possible capture was inadvertently started BEFORE the external storage was configured and there is data hidden under the /var/netwitness/logdecoder mount point. If so, with the above filesystems unmounted, do run:
rm -rf /var/netwitness/logdecoder/* to remove the data hidden under the mountpoint, then do a "mount -a" to remount the filesystems and then start the logdecoder service again.
