Re: ips 4255 "available disk space (100% usage)"

pmichaelson · ‎12-02-2005

I am having an issue where the AnalysisEngine will not stay running, as i am looking into this i see available disk space (100% usage), could this be part of the problem? how do i free up space on the ips?

Here is the show ver

Using 1150967808 out of 3974713344 bytes of available memory (28% usage)

Using 513M out of 513M bytes of available disk space (100% usage)

Using 495M out of 513M bytes of available disk space (97% usage)

MainApp 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running

AnalysisEngine 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 NotRunning

Authentication 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running

Logger 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running

NetworkAccess 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running

TransactionSource 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running

WebServer 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running

CLI 2005_Aug_02_10.53 (Release) 2005-08-02T10:25:35-0500

Upgrade History:

* IDS-sig-4.1-5-S201 07:33:01 UTC Tue Nov 29 2005

IDS-sig-4.1-5-S204.rpm.pkg 10:03:03 UTC Thu Dec 01 2005

thanks in advance for any help

s.breault · ‎12-02-2005

You are not alone, many of us have had the same experience. Go back in the post to early Sept timeframe you will find your answer there.

Basically you will need to remove old files in the

/usr/cids/idsRoot/var/updates/files/S69

/usr/cids/idsRoot/var/updates/files/common

usr/cids/idsRoot/var/events.tar.gz

We ran into this issue after we upgraded to S189...it's strange that this is happenning for you at S204....Anyhow hope this helps

pmichaelson · ‎12-02-2005

i removed the old files, i even removed the old signatures packages, and it is still showing the same disk usage and i have rebooted it, i went to downgrade the sigs but since the AnalysisEngine is not running it will not let me. I am stuck

Jeffrey Bollinger · ‎12-03-2005

If the AnalysisEngine is down that can mean several things.

AnalysisEngine will go down temporarily during a software upgrade or signature upgrade. If either one of these operations fails or gets hung, SensorApp (a.k.a. AnalysisEngine) will also get stuck. If this happens, the best bet is to backup your configuration:

copy current-config destination-url ftp://x.x.x.x/backup.txt

and then reimage your sensor.

As per the release note for CSCsb81288 which you've already seen:

- log into service account and become root (use the su command with the same svc acct PW)

- remove the following directories:

# rm -rf /usr/cids/idsRoot/var/updates/files/S69

# rm -rf /usr/cids/idsRoot/var/updates/files/common

# rm /usr/cids/idsRoot/var/virtualSensor/*

# rm /usr/cids/idsRoot/var/.tmp/*

- If not enough space is freed up...

- Also, needed to remove files from:

/usr/cids/idsRoot/var/updates/sigupdate/*

/usr/cids/idsRoot/var/updates/backups/*

/usr/cids/idsRoot/var/updates/*.rpm.pkg

/usr/cids/idsRoot/var/core/mainApp

/usr/cids/idsRoot/var/core/logApp

/usr/cids/idsRoot/var/core/nac

/usr/cids/idsRoot/var/core/authentication

/usr/cids/idsRoot/var/core/ctlTransSource

/usr/cids/idsRoot/var/core/sensorApp

/usr/cids/idsRoot/var/core/-cidcli

/usr/cids/idsRoot/var/core/terminal

/usr/cids/idsRoot/var/core/sendCtlTrans

*Note: after removing these extra files, you cannot perform a downgrade.

To find out what files could be using up the space, issue the command:

cd /usr/cids/idsRoot/var

then

du -alkh

pmichaelson · ‎12-13-2005

I actually ended up doing a system recovery...waa...thanks for all the help

Phil