1. Current Situation:
88% disk has been used and it is going to stop receiving the logs and flows from sources. Also reports will not be able to generated once the disk is reached certain level, about 92%.
[root@strm ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda2 20323232 14568560 4705628 76% /
/dev/sda3 10169544 1970636 7673988 21% /var/log
/dev/sda1 108865 30790 72454 30% /boot
tmpfs 4091188 0 4091188 0% /dev/shm
/dev/sda8 424837936 362963724 31193700 92% /store
/dev/sda5 17263128 177164 16194896 2% /store/tmp
2. All log data are stored at /store/ariel/events folder:
Under /store/ariel/events folder, there are two sub directories payloads and records which stores all log data. The payloads is the raw data which is being sent to the STRM and the records are the normalized data which are stored onto the STRM after the parsing of the raw data.
[root@strm events]# ls -l
total 16
drwxr-xr-x 4 root root 4096 Jan 1 00:01 md
drwxr-xr-x 4 root root 4096 Jan 1 00:00 payloads
drwxr-xr-x 4 root root 4096 Jan 1 00:00 records
drwxr-xr-x 4 nobody nobody 4096 Jan 2 01:04 uncompressedCache
In both of payloads and records folders, the logs are stored by years and months.
This is the folder size for each month of 2014 under payloads folder:
3. Tar the folder which you want to archive and move to remote ssh storage server:
cd /store/ariel/events/payload/2014
tar -zcvf /store/tmp/2014.1.payload.tar.gz 1
cd /store/ariel/events/records/2014
tar -zcvf /store/tmp/2014.1.records.tar.gz 1
du -hs 2014.1.*.tar.gz
watch du -hs 2014.1.*.tar.gz
4. SCP tar files to remote site
scp /store/tmp/2014.1.*.tar.gz [email protected]:/data/backup/juniper
5. Delete files and folders
rm -rf /store/tmp/2014.1.*.tar.gz
rm -rf /store/ariel/events/payloads/2014/1
rm -rf /store/ariel/events/records/2014/1
6. Verify
[root@strm tmp]# df -k
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda2 20323232 14562300 4711888 76% /
/dev/sda3 10169544 1999120 7645504 21% /var/log
/dev/sda1 108865 30790 72454 30% /boot
tmpfs 4091188 0 4091188 0% /dev/shm
/dev/sda8 424837936 329588056 73669368 82% /store
/dev/sda5 17263128 658040 15714020 5% /store/tmp