Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 7 subscribers
  • Views 5220 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Root Partition High Usage 85%

Nick Page

Hi

We are getting frequent email warnings that the Root partition is filling up on our SG430 hardware appliance. After looking around on this site, it appears the common issue is with either core dumps or updates that need either applying or deleting. From what I can see that it not the cause of our issue. Can someone take a look at the below folder sizing and point me in the right direction as I'm not sure what to delete. Please be clear on any commands as I'm not familiar with Linux and a little out of my comfort zone, thanks. 

syn-iii:/home/login # cd /
syn-iii:/ # du -sh *
6.9M bin
14M boot
152K dev
3.1M doc
139M etc
12K home
0 inst
107M lib
4.5M lib64
16K lost+found
8.0K media
4.0K mnt
51M opt
du: cannot access `proc/20159/task/20159/fd/4': No such file or directory
du: cannot access `proc/20159/task/20159/fdinfo/4': No such file or directory
du: cannot access `proc/20159/fd/4': No such file or directory
du: cannot access `proc/20159/fdinfo/4': No such file or directory
0 proc
44K root
4.0K run
7.2M sbin
0 sys
86M tmp
775M usr
67G var ---------- largest folder 

syn-iii:/ # cd var
syn-iii:/var # du -sh *
27M adm
2.0M aua
8.0K awslogsd
576K cache
0 chroot-afc
0 chroot-bind
0 chroot-clientlessvpn
0 chroot-dhcpc
0 chroot-dhcps
0 chroot-ftp
0 chroot-ha_proxy
0 chroot-http
0 chroot-httpd
0 chroot-ident
0 chroot-ipsec
0 chroot-ntp
0 chroot-openvpn
0 chroot-pop3
0 chroot-ppp
0 chroot-pppoe
0 chroot-pptp
0 chroot-pptpc
0 chroot-quagga
0 chroot-restd
0 chroot-reverseproxy
0 chroot-smtp
0 chroot-snmp
0 chroot-snort
0 chroot-socks
0 chroot-xorp
1.4G confd
8.0K cores
4.0K crash
296K epsecd
3.7M geoip
18M lib
4.0K local
8.0K lock
53G log         --------- Very Large Folder
24K log.wb-BUILTIN
2.9M log.wb-*****-******** (Domain Name Redacted)
24K log.wb-SYN-III
3.2M log.winbindd
0 log.winbindd-dc-connect
12K log.winbindd-idmap
0 mail
1.2M mdw
192K notification
3.1M oculusd
4.0K opt
1.1G pattern
184K run
du: cannot access `sec/chroot-ipsec/proc/20359': No such file or directory
du: cannot access `sec/chroot-ipsec/proc/20360': No such file or directory
du: cannot access `sec/chroot-ipsec/proc/20361': No such file or directory
du: cannot access `sec/chroot-ipsec/proc/20362': No such file or directory
du: cannot access `sec/chroot-ipsec/proc/20363/task/20363/fd/4': No such file or directory
du: cannot access `sec/chroot-ipsec/proc/20363/task/20363/fdinfo/4': No such file or directory
du: cannot access `sec/chroot-ipsec/proc/20363/fd/4': No such file or directory
du: cannot access `sec/chroot-ipsec/proc/20363/fdinfo/4': No such file or directory
476M sec
560K spool
12G storage  --------- Large Folder
67M support
8.0K tmp
132K up2date
0 wfe
4.0K X11R6

syn-iii:/var # cd log
syn-iii:/var/log # du -sh *
12M afc
28K afc.log
5.9M aptp
0 aptp.log
27M aua
52K aua.log
6.8M boot
0 boot.log
307M confd
2.4G confd-debug
31M confd-debug.log
244K confd.log
78M dhcpd
156K dhcpd.log
76M endpoint
236K endpoint.log
27M fallback
80K fallback.log
5.9M hotspot
0 hotspot.log
6.1M html5vpn
0 html5vpn.log
35G http
12M httpd
4.0K httpd.log
11M http.log
71M ips
35M ipsec
84K ipsec.log
348K ips.log
6.2M kernel
0 kernel.log
4.0K krb5
56K lastlog
6.1M logging
4.0K logging.log
6.1M login
4.0K login.log
16K lost+found
14M mdw
49M mdw-debug
112K mdw-debug.log
44K mdw.log
6.1M mg-agent
4.0K mg-agent.log
1.3M myIP_**.**.**.** (IP Redacted)
0 myIP_**.**.**.**.log (IP Redacted)
28M named
648K named.log
2.1M nnd
0 nnd.log
7.0M notifier
44K notifier.log
31M openvpn
16K openvpn.log
3.0G packetfilter
24M packetfilter.log
3.8G reporting
7.3G reverseproxy
59M reverseproxy.log
6.1M selfmon
276K selfmon.log
6.1M service_monitor
0 service_monitor.log
41M smtp
212K smtp.log
6.1M sshd
4.0K sshd.log
29M system
172K system.log
2.3M uma
0 uma.log
15M up2date
100K up2date.log
42M user_prefetch
1.1M user_prefetch.log
24M webadmin
0 webadmin.log
4.0K working
496K wtmp
syn-iii:/var/log #

syn-iii:/var # cd storage
syn-iii:/var/storage # du -sh *
16K agent
du: cannot access `chroot-clientlessvpn/proc/20434/task/20434/fd/4': No such file or directory
du: cannot access `chroot-clientlessvpn/proc/20434/task/20434/fdinfo/4': No such file or directory
du: cannot access `chroot-clientlessvpn/proc/20434/fd/4': No such file or directory
du: cannot access `chroot-clientlessvpn/proc/20434/fdinfo/4': No such file or directory
167M chroot-clientlessvpn
3.9M chroot-ftp
7.9G chroot-http    ------ Large Folder 
18M chroot-pop3
102M chroot-reverseproxy
84M chroot-smtp
4.0K cores
16K lost+found
36K pgsql
3.4G pgsql92  ------ Large Folder 
11M samba
syn-iii:/var/storage #

Hopefully the formating holds, sorry for the long post, I wasn't sure what was relevant. 

Nick



This thread was automatically locked due to age.
Parents
  • 0

    Hello

    /var/storage/chroot-http/ ... webadmin  sometimes contain not cleared network dumps from support ...

    Check for big files deeper.

    PGSQL:

    - do you use Mailproxy with UTM?

    - check log-settings (delete logfiles: never?  url logging deep: domain only? ...)


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Hi Dirk, 

    Thanks for coming back to me. I looked in to /var/storage/chroot-http, the only folder of any size is httpcache/var which contains 16 folders of around 500MB each, I'm assuming this is the  HTTP Proxy Cache location.

    We don't use the MailProxy, emails are routed to a Barracuda ESG. 

    Log files were set to Never, I have changed this to one year, I had assumed the Log Disk shown on the dashboard was the storage location for log files this is only showing 51% usage of 109GB (appears to be SDA 7) and the Data Disk is only showing 15% of 83GB used (SDA 5?).  We are recording 3 levels of URL  so our log files will bigger than possibly expected.

    After changing the Log Retention I waited and the usage on SDA6 hasn't reduced is the log clean up a daily task or should it happen sooner? 

    Regards, 

    Nick

  • 0 in reply to Nick Page

    ... at midnight ... as i know


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to Nick Page

    Hello Nick,

    Thank you for contacting the Sophos Community!

    If the partition filling-up is /var/storage/chroot-http, try restarting the firewall and see if clears. Most likely it is the /tmp folder under /var/storage/chroot-http/var/tmp that is filling up!

    Also what is the output of df -h

    And you can use this command too du -skx * | sort -n

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to dirkkotte

    Hi Dirk,

    You were right about the midnight execution, sadly though it cleared out SDA7, the logs drive is now down to 19% from 51%. I did some more digging around and finally, I think I found the problem. I ran find / -xdev -type f -size +10M this gave me a list of files larger than 10MB on SDA6 only (if I've understood the command correctly) it showed a large number of files in /var/confd/var/storage/snapshots/ I took a guess these were automatic backs of the config. When I checked the web GUI there were backups going back 3 years. The system is set to retain only the last 10 but there was way more than that in there. So I deleted the backups from 2017 then rechecked the usage of SDA6 and it dropped to 80%. I'm going to clear the remaining old backups and hopefully, this will fix the problem, at very least it will buy me some time. 

    Thank you for taking the time to respond to me. 

    Regards, 

    Nick

    *** Edit *** The files were created during version updates, it appears these are not counted by the auto backup and are therefore not deleted as part of the 10 backups max option. I've cleared out all backups prior to the start of this year and drive usage is now down to 75%. That should hold for a while. 

  • 0 in reply to emmosophos

    Hi Emmanuel,

    df -H shows 

    Filesystem   Size     Used    Avail      Use%     Mounted on
    /dev/sda6     5.6G    4.0G    1.4G       75%        /
    udev             8.4G    103k    8.4G      1%          /dev
    tmpfs            8.4G    54k      8.4G      1%          /dev/shm
    /dev/sda1     348M   17M     309M     5%         /boot
    /dev/sda5     90G      17G     69G      20%       /var/storage
    /dev/sda7    118G     21G     91G      19%       /var/log
    /dev/sda8     4.9G    108M    4.5G      3%        /tmp
    /dev              8.4G     103k    8.4G      1%        /var/storage/chroot-clientlessvpn/dev
    tmpfs            8.4G     0         8.4G        0%       /var/sec/chroot-httpd/dev/shm
    /dev              8.4G    103k     8.4G       1%       /var/sec/chroot-openvpn/dev
    /dev              8.4G    103k     8.4G       1%       /var/sec/chroot-ppp/dev
    /dev              8.4G    103k     8.4G       1%       /var/sec/chroot-pppoe/dev
    /dev              8.4G     103k    8.4G       1%      /var/sec/chroot-pptp/dev
    /dev              8.4G     103k    8.4G       1%      /var/sec/chroot-pptpc/dev
    /dev             8.4G      103k    8.4G       1%      /var/sec/chroot-restd/dev
    tmpfs           8.4G       0         8.4G       0%      /var/storage/chroot-reverseproxy/dev/shm
    /var/storage/chroot-smtp/spool 90G 17G 69G 20% /var/sec/chroot-httpd/var/spx/spool
    /var/storage/chroot-smtp/spx 90G 17G 69G 20% /var/sec/chroot-httpd/var/spx/public/images/spx
    tmpfs           8.4G       62k     8.4G      1%        /var/storage/chroot-smtp/tmp/ram
    tmpfs           8.4G       0         8.4G       0%       /var/storage/chroot-http/tmp
    /var/sec/chroot-afc/var/run/navl 5.6G 4.0G 1.4G 75% /var/storage/chroot-http/var/run/navl
    /etc/nwd.d/route 5.6G 4.0G 1.4G 75% /var/sec/chroot-ipsec/etc/nwd.d/route

    As mentioned below after clearing old config backups I've got the usage down to 75%. Please let me know if there is somewhere else i should be checking. 

    Regards,

    Nick

  • 0 in reply to Nick Page

    Hello Nick,

    Thank you for the follow-up!

    Can you run this command: 

    du -kh -d 2 /var/storage/chroot-http/var/  2> /dev/null | sort -rh | grep tmp

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi Emmanuel, 

    I got a single line response of ....

    3.6M    /var/storage/chroot-http/var/tmp

    Is that right ? 

    Regards,

    Nick

  • 0 in reply to Nick Page

    Nick, that shows the root (\) partition at 75%, so you did something to clean that up a bit.  Just curious what you see with:

    du -shx /var/storage/* | sort -rh | head -10

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob, 

    I deleted some backups that were created when updates were installed going back 3 years, gained about 10% disk space. 

    The results of the command are 

    12G /var/storage/chroot-http
    3.4G /var/storage/pgsql92
    167M /var/storage/chroot-clientlessvpn
    102M /var/storage/chroot-reverseproxy
    84M /var/storage/chroot-smtp
    18M /var/storage/chroot-pop3
    11M /var/storage/samba
    3.9M /var/storage/chroot-ftp
    36K /var/storage/pgsql
    16K /var/storage/lost+found

    Regards,

    Nick

  • 0 in reply to Nick Page

    Hello Nick,

    Thank you for the follow-up.

    Yes it is correct.

    I was suspecting maybe the http/tmp folder was not being cleaned, but in your case it seems to be ok. 

    Usually, the /dev/sd6 remains at around 65%, and yes the backups would take a good chunk of this, space. 

    Do you have any pending update under /var/up2date/sys?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi Emmanuel, 

    No updates pending. Current installed version is 9.704-2

    Regards,

    Nick

Reply Children
No Data
Unfiltered HTML