Our Juniper STRM is running out of space after receiving more and more logs from Check Point management server and Juniper NSM. Since my STRM 500 only has about 400G storage capability and there is no other way to get budget to upgrade it to other expensive model, I decided to manually archive some older data out of this box. The steps are quite straightforward, just need to find out log folders and tar them , move them to remote ssh server.
1. Current Situation:
88% disk has been used and it is going to stop receiving the logs and flows from sources. Also reports will not be able to generated once the disk is reached certain level, about 92%.[root@strm ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda2 20323232 14568560 4705628 76% /
/dev/sda3 10169544 1970636 7673988 21% /var/log
/dev/sda1 108865 30790 72454 30% /boot
tmpfs 4091188 0 4091188 0% /dev/shm
/dev/sda8 424837936 362963724 31193700 92% /store
/dev/sda5 17263128 177164 16194896 2% /store/tmp
2. All log data are stored at /store/ariel/events folder:
Under /store/ariel/events folder, there are two sub directories payloads and records which stores all log data. The payloads is the raw data which is being sent to the STRM and the records are the normalized data which are stored onto the STRM after the parsing of the raw data.
[root@strm events]# ls -lIn both of payloads and records folders, the logs are stored by years and months.
total 16
drwxr-xr-x 4 root root 4096 Jan 1 00:01 md
drwxr-xr-x 4 root root 4096 Jan 1 00:00 payloads
drwxr-xr-x 4 root root 4096 Jan 1 00:00 records
drwxr-xr-x 4 nobody nobody 4096 Jan 2 01:04 uncompressedCache
This is the folder size for each month of 2014 under payloads folder:
This is the folder size for each month of 2014 under records folder:
3. Tar the folder which you want to archive and move to remote ssh storage server:
cd /store/ariel/events/payload/2014
tar -zcvf /store/tmp/2014.1.payload.tar.gz 1
cd /store/ariel/events/records/2014
tar -zcvf /store/tmp/2014.1.records.tar.gz 1
du -hs 2014.1.*.tar.gz
watch du -hs 2014.1.*.tar.gz
4. SCP tar files to remote site
scp /store/tmp/2014.1.*.tar.gz root@10.0.0.242:/data/backup/juniper
5. Delete files and folders
rm -rf /store/tmp/2014.1.*.tar.gz
rm -rf /store/ariel/events/payloads/2014/1
rm -rf /store/ariel/events/records/2014/1
6. Verify
[root@strm tmp]# df -k
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda2 20323232 14562300 4711888 76% /
/dev/sda3 10169544 1999120 7645504 21% /var/log
/dev/sda1 108865 30790 72454 30% /boot
tmpfs 4091188 0 4091188 0% /dev/shm
/dev/sda8 424837936 329588056 73669368 82% /store
/dev/sda5 17263128 658040 15714020 5% /store/tmp
No comments:
Post a Comment