Anonymous_User Absent Member.
Absent Member.
351 views

Sentinel disk space is full


Sentinel disk space is full then not start, I have not network storage
and other machine!How to do clean old data and partition!(Can do rm
eventdata and rawdata?)


--
whitesocks
------------------------------------------------------------------------
whitesocks's Profile: https://forums.netiq.com/member.php?userid=714
View this thread: https://forums.netiq.com/showthread.php?t=50607

0 Likes
3 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel disk space is full

It'd probably be a lot better to add more space to the system so that it
can start and then you can clean it up normally. Deleting data randomly
could leave your Sentinel system in an inconsistent state. Growing a
filesystem, particularly if you are using a VM, or if you are using LVM on
any system, is really easy to do.

Which version of Sentinel? Which patches also are on the system?

Have you updated the Sentinel Core Solution Pack ever to the version that
fixes some problems causing disk space issues?

How much disk space do you have in various mount points (`df -h` output).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel disk space is full


sentinel version is 7.0.3
I won't add space to system,My system install on physical machine. So I
want to delete old data. How to do clean old data,thanks!


--
whitesocks
------------------------------------------------------------------------
whitesocks's Profile: https://forums.netiq.com/member.php?userid=714
View this thread: https://forums.netiq.com/showthread.php?t=50607

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel disk space is full


The only directory that you can clean up without any problems is the
/var/opt/novell/Sentinel/log directory.
It is not much but it might be just enough.
Once sentinel has started go to storage -> Data synchronization and
disable all RDD's. Better still first open all RDD's and put the
retention date to 2 or 3 days or something and leave it for a day or
so.
Delete everything in the security intelligence dashboard, this will take
a few days to be effective.
Put the data retention on all the policies on the at least field on 2
days or something like that.
After you have gained some disk space again, upgrade sentinel.

After all this, have a critical look at what you really need.
On a system with not much disk space you probably don't want the
security intelligence because it fills up the mongodb.
The RDD's fill up the postgresql db so be carefull on which one to use
and what the retention date is set to.
Finally you can make additional data retention policies to delete
unimportant data more quickly.
One thing I normally do is putting the raw data retention policy to at
least 1 day and at most 3 days to get rid of the raw data as soon as
possible but yet being able to back it up to tape. If you really don't
need the raw data (sentinel only stores it as a reference but doesn't do
anything with it) you can also switch of the collection of it all
together. This will also gain you a little bit of performance, but I
experienced that I have to remove the data by hand now because the data
retention policy is not deleting the data any more.

One other thing you can do is splitting the partition you have your data
on in two and use 1 partition as a network storage. The data on the
network storage is compressed more heavily then on your local storage.
Keep in mind that at first it will take up more space because events are
stored mostly uncompressed on the local storage AND compressed on the
network storage.

Hope this helps.
Regards,
Anco


--
jcvader1
------------------------------------------------------------------------
jcvader1's Profile: https://forums.netiq.com/member.php?userid=502
View this thread: https://forums.netiq.com/showthread.php?t=50607

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.