Yesterday I realized (after checking the backup of one of my gateways was failing) that the /var/log partition was 100% full:
[Expert@vsx1:0]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_splat-lv_current 31G 21G 9.0G 70% /
/dev/md0 289M 130M 145M 48% /boot
tmpfs 32G 0 32G 0% /dev/shm
/dev/mapper/vg_splat-lv_log 146G 146G 0 100% /var/log
Surprinsingly, it used to have only 20G used more or less out of 146G. Trying to better define the folder and files that are filling the disk, this was the conclusion:
[Expert@vsx1:0]# du -csh /var/log/opt/CPsuite-R80/fw1/CTX/
136G /var/log/opt/CPsuite-R80/fw1/CTX/
136G total
[Expert@vsx1:0]# du -csh //var/log/opt/CPsuite-R80/fw1/CTX/*
653M //var/log/opt/CPsuite-R80/fw1/CTX/CTX00001
290M //var/log/opt/CPsuite-R80/fw1/CTX/CTX00002
238M //var/log/opt/CPsuite-R80/fw1/CTX/CTX00003
112M //var/log/opt/CPsuite-R80/fw1/CTX/CTX00004
135G //var/log/opt/CPsuite-R80/fw1/CTX/CTX00005
240M //var/log/opt/CPsuite-R80/fw1/CTX/CTX00006
48M //var/log/opt/CPsuite-R80/fw1/CTX/CTX00007
136G total
[Expert@vsx1:0]# du -csh //var/log/opt/CPsuite-R80/fw1/CTX/CTX00005/* | grep G
130G //var/log/opt/CPsuite-R80/fw1/CTX/CTX00005/forensics
4.0G //var/log/opt/CPsuite-R80/fw1/CTX/CTX00005/tmp
135G total
A Checkpoint engineer suggested to check if i had the “Packet Capture” option enabled in any Threat Prevention policy. So it was…
And clarified that this behavior is by design. I decided to disable the “Packet capture” and it started to free space immediately
After some minutes some Gigs have been freed and still…
/dev/mapper/vg_splat-lv_log 146G 106G 33G 77% /var/logAfter en hour more or less, again only 20% used
