Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Environment

EDR Server: All Versions (formerly CB Response)

Symptoms

EDR Server services will not start
'df -h' command reports partition(s) with 100% disk space used

Cause

Excessive disk space usage from files outside of /var/cb/data directory.

Resolution

Remove common large files from EDR server
- .hprof files (stack traces associated with SOLR crashes):
  1. Check for presence of .hprof files
    - ```
    find /var/log/cb -type f -iname "*.hprof.*"
```

Remove any .hprof files found:
- ```
rm -f {full path}/*hprof.old
```

Diagnostic files

Check for presence of diagnostic files
- ```
find / -type f -iname "cbdiag*"
```
Remove any diagnostic files found:
- ```
rm -f {full path}/*.cbdiag
```

RPM files

Remove RPM files from yum repository
- ```
yum clean all
```
Disable yum caching option:

a. vi /etc/yum.conf file

b. Add or modify following parameter/value: keepcache=0

Additional Notes

If disk usage is still near 100%, following command will help determine if SOLR or Modulestore are accounting for disk space usage:

du -h /var/cb/data/ --max-depth=1

Related Content

CB Response: How To Purge CbEvent (Process) Data in 5.x
EDR: How To Purge CbEvent (Process) Data in 6.x and Higher
EDR: How to Enable Automated Cbmodule Purging
EDR: Modulestore Filling Disk When Alliance Sharing Is Disabled

Article Information

Author:

Creation Date:

‎04-02-2019

Views:

2816

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.